I see a lot of companies without top security leadership representation, CISO’s. Check out a few company leadership pages sometime. The point is that with no application security expert in the board room don’t expect security concerns to be raised until your next public security incident. Keep in mind the job of the CISO is not scape goat for your next public security incident; we are way past that now, it’s to identify and reduce business risks/injury posed by technology products/services to acceptable levels. Two points, 1) you need a CISO, 2) hire a knowledgeable CISO if you like your executive job or board position.
A couple of cases that could have been avoided or gone much better with a knowledgeable CISO…
FTC.gov: The Matter of LabMD, Inc.
Forbes.com: Target CEO Fired – Can You Be Fired If Your Company Is Hacked?
*Photo from Transformers film, 2007