>I get it that the SEC wants to change this culture and have a designated person meaningfully responsible for infosec risk, but it feels that it's a case of stick before the carrot.
They have that already, it’s the CEO - he is supposed to have ultimate responsibility which is why he (or she) gets obscene compensation. They should be incentivized to hire the best CISO he can find because he’s facing jail time if he doesn’t.
Instead he has 0 responsibility because literally everything is an underlings fault.
It's somewhat wild: I remember as a kid being taught that those with the power are the ones with the responsibility. And yet once I entered the workforce, it turns out it's the opposite.
While this may be true most of the time, there are cases where the CEO has taken full responsibility. A podcast [1] by Darknet Diaries on a breach in 2015 at mobile provider TalkTalk in the UK tells of such a case.
They have that already, it’s the CEO - he is supposed to have ultimate responsibility which is why he (or she) gets obscene compensation. They should be incentivized to hire the best CISO he can find because he’s facing jail time if he doesn’t.
Instead he has 0 responsibility because literally everything is an underlings fault.