Friday, November 17, 2023

Clorox hackers take a scalp

Clorox got hacked a couple months back which has led to shortages of the product.  It looks like Management has thrown their Chief Information Security Officer out the door:

The Clorox Company's chief security officer has left her job in the wake of a corporate network breach that cost the manufacturer hundreds of millions of dollars.

Amy Bogac held the title of chief information security officer (CISO) and VP of enterprise security and infrastructure at Clorox since June 2021, per her LinkedIn profile.

While her LinkedIn profile doesn't indicate any job changes, Friday was Bogac's last day at the multinational cleaning product conglomerate, according to Bloomberg News, which reviewed an internal memo and cited two people familiar with the matter.

I'm of two minds on this.  The first is that Clorox undoubtedly underinvested in cyber security, so it's no surprise that they got hacked, and this is management offering up a sacrificial victim to the shareholders.  The second, though, is that Ms. Bogac was in fact the head of cybersecurity and she is understandably in the hot seat.

The third (yeah I know I said "two", stick with me here) is that being a CISO is a no-win situation.

 

6 comments:

  1. Kinda like being the coach of a losing team, it may not be your fault, but you can't fire the team

    ReplyDelete
  2. Problem with playing defense is that you have to be successful every time, whereas the attacker only needs to be successful once. So, yeah, it's a no win position if the bosses don't recognize that.

    In this situation, with lack of behind the scenes knowledge we don't know if the bosses just took that approach or if they determined if she really failed to take precautions that anyone else in the field would have and was therefore truly deficient.

    And of course, it's almost certain that the bosses themselves failed to spend enough on security. But another question behind that is if they denied her requests for such spending that would have been reasonable. Or if she didn't even ask for the resources. Or even - if her entire position, her background, her instructions, were to not even bother asking for the resources necessary. A chilling effect on doing the job right, based upon hints from on high.

    I don't know. Anyone in such high level of management is more politician than technician. And at that level, supporting the wishes of the bosses is the name of the game - not doing what your department experts want.

    I'd edge towards her being a scapegoat because the bosses (CEO, board of directors, activist investors) can't accept the blame that their own desires and directives resulted in an entirely predictable outcome.

    ReplyDelete
  3. Gee; did the hackers use Bleachbit?...

    I had to... No; I really had to...

    ReplyDelete
  4. There's always a hacker out there smarter than the desk jockey.

    ReplyDelete
  5. Good Shot,Pete!

    Amy Bogac held the title of chief information security officer (CISO) and VP of enterprise security and infrastructure at Clorox since June 2021,

    What we don't know is, what was her budget, had she told The Bosses that they were vulnerable and they needed to take steps to protect themselves.
    But, without extenuating circumstances,,

    Amy Bogac held the title of chief information security officer (CISO) and VP of enterprise security and infrastructure at Clorox since June 2021,

    It was her job to protect the company.
    As noted earlier,, They only have to get it right Once
    She had to get it right every time..
    Doesn't sound like the kind of job I would ever want.

    ReplyDelete
  6. Always has been, always will be... underfunded, over tasked...

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.