back to article Clorox CISO flushes self after multimillion-dollar cyberattack

The Clorox Company's chief security officer has left her job in the wake of a corporate network breach that cost the manufacturer hundreds of millions of dollars. Amy Bogac held the title of chief information security officer (CISO) and VP of enterprise security and infrastructure at Clorox since June 2021, per her LinkedIn …

  1. An_Old_Dog Silver badge
    Flame

    Which Sitch?

    Every time I read one of these articles detailing a major breach shortly followed by the firing of the CISO, I always wonder which situation it was:

    (1) The CISO said/wrote, "We need to do these things [followed by a list]; it will cost X amount of money," was overruled by the remainder of the C-suiters, who claimed, "That's too much money, so we won't do that," and when the warned-against breach did occur, the CISO was beaten like a sacrificial goat (well, fired), or,

    (2) The CISO truly was incompetent.

    (Icon for CISO on fire.)

    1. Michael Wojcik Silver badge

      Re: Which Sitch?

      Or the CISO came up with a valid program to improve security, and it was funded by the exec team, but the existing mess just took too long to clean up and someone got in before defenses could be raised adequately.

      Or the program was a success, but because security is never perfect, some attacker got lucky. Maybe they successfully phished or social-engineered the right person. Maybe an employee made a mistake. Maybe there's a 0day in some piece of border equipment.

      While my sympathy budget for players in the C-suite is low, I'm pretty unhappy about a CISO taking the blame for something like this where there isn't public evidence of incompetence or wrongdoing. It's impossible to distinguish from scapegoating by the other execs and the board, and it discourages people from taking senior positions in IT security.

      Frankly, this entire episode stinks, and no amount of bleach is going to remove that odor.

      1. Ex CISO

        Re: Which Sitch?

        @Michael Wojcik- YESSSSS!

        Thank you.

    2. Anonymous Coward
      Anonymous Coward

      Re: Which Sitch?

      This! 100,000 times this! I used to do security I was *good* at it, then a few years ago the process turned to this.

      1) Our security is bad, fix it.

      2) Whoa! what do you mean it costs money and requires changes in the way we use the Internet, your a security expert, secure it.

      3) How come we got hacked? we hired you to keep our [horribly misconfigured systems || out of support legacy systems with internet connections || applications that should have never been direcly web facing in the cloud || applications mostly coded by copying and pasting code from stack overflow || random packages from git hub]

      5) What do you mean use VPNs? its in the cloud/saas the vendors responsible for it, they wouldn't let us face the internet if it was a bad idea!

      6) Whoa! what do you mean [employees cant connect every random personal device to the network || if we restrict Internet access how will people look at content not related to our business at all ]

      7) its your fault get out!

      Wash, rinse, repeat

  2. Yorick Hunt Silver badge
    Facepalm

    "Best Practices"

    Just like other fads, "best practices" are revised on a seemingly daily basis, as the real world confronts the la-la land of the corporate world.

    Rather than investing grey matter into actually locking a network down, it's far easier for those with more titles than qualifications to simply grab off-the-shelf black box solutions, citing (when the inevitable happens) "best practices" as their excuse.

    Whether the CISO was dismissed or fell on her own sword is irrelevant; she'll turn up in a similar role at a similar company within weeks if not days. All while being less capable than the average teenage nerd in the realm of network security.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Best Practices"

      But teenage nerds don't have the dosh to pay for multiple security certification courses.

      1. Someone Else Silver badge

        Re: "Best Practices"

        There is no such thing. Only "better practices", which are (ostensibly) better than the last set of "best practices".

  3. chuckufarley Silver badge

    Chlorine...

    ...Is part of the heart beat of the modern civilization because where ever there is clean water there is chlorine. This is the standard chain attack. Find any weakness related to a critical material and push as far as you can into their infrastructure and hope to break past it into other companies.

    1. t245t Silver badge
      Boffin

      Re: Chlorine...

      > ...Is part of the heart beat of the modern civilization because where ever there is clean water there is chlorine. This is the standard chain attack. Find any weakness related to a critical material and push as far as you can into their infrastructure and hope to break past it into other companies.

      What ?

      One use of chlorine is in swimming pools to kill germs. A side-effect being a chemical reaction with uric acid that produces that stinging eye sensation :o

  4. ChoHag Silver badge

    > "During her time at Clorox, she also developed a strong Security & Infrastructure team."

    Evidently not.

    1. Anonymous Coward
      Anonymous Coward

      Security and Infrastructure should be two separate teams, and for a company of that size, I'd suggest more than that.

  5. Dr Who

    When not if

    In the face of a highly determined, skilled, patient and well resourced adversary it is impossible to defend a complex and distributed IT infrastructure. The notion of "locking down the network" no longer has any meaning. We can't defend against all the known threats, let alone the unknown.

    We must therefore do what we can within the resources available to defend against the most common threats, whilst at the same time investing heavily in an effective and rapid alarm and recovery process for when the inevitable breach does happen.

    The potential cost of cyber security is limitless in as much as you can never achieve perfection. Given that no organisation has unlimited resources to throw at the problem, choices must always be made between risk and cost.

    1. t245t Silver badge
      Boffin

      Re: When not if

      > impossible to defend a complex and distributed IT infrastructure.

      Take a leaf from the bugler alarm industry. A second system monitoring the first with full irrevocable audit trail. Include a honeypot or “rabbit garden” to deflect the hackers away from the primary one.

      1. Tron Silver badge

        Re: When not if

        There is a lot that could be done but often isn't, more intranet use with no internet access, crimping networks to very low speeds if that is all that is required, modular systems, unattached from each other, airgapping with carbon-based lifeforms, and having an unattached duplicate system to secure and then flip to (hardware costs aren't that high). I do like the honeypot idea.

        If I was at GCHQ I would be boasting about a new, infallible encryption protocol and storing large files of random data where the 'state actors' could get at them. Knock yourselves out, guys.

      2. Michael Wojcik Silver badge

        Re: When not if

        I don't care how many buglers you have — our experience with car alarms shows that other people will just be annoyed and will ignore the bugling.

        On a more serious note, many businesses do have honeypots monitored by both automated tooling and defenders. Just like anything else, it's an imperfect solution. There is no silver bullet.

    2. Bitsminer Silver badge

      Re: When not if

      it is impossible to defend a complex and distributed IT infrastructure

      Yes but no.

      Google managed to implement a security strategy called "borderless" or "zero trust". I'm sure it wasn't cheap but they were very motivated, They don't publish disclosures about breaches, though.

      Clorox factories and the usual corporate sales/marketing/C-level networks don't easily match this model. And for good reason: Clorox are selling chemicals not networks. They have the problem of relying on a complicated technology for survival but which is not central to their business. Just like every other enterprise on the planet.

      Whether it was unpatched web-facing routers, a successful phishing campaign, or an insider opening up their network, they had very little chance of a successful defence. Corporate network complexity exceeds the human capacity of a CIO/CISO to manage.

      It is possible with today's technology, but it is far from easy. And the industry likes it that way....

      1. Anonymous Coward
        Anonymous Coward

        Re: When not if

        To be fair that only means Google hasn't been breached majorly in a way that went public yet, not that it can't be done. (Let's ignore those fiber tees in the datacenters, please).

      2. Nate Amsden

        Re: When not if

        google is also looking to yank internet access from many employees because apparently zero trust isn't enough

        https://www.theregister.com/2023/07/19/google_cuts_internet/

      3. Michael Wojcik Silver badge

        Re: When not if

        If you think zero-trust is a panacea, that just shows you don't understand IT security.

        Hell, if you think zero-trust is news, you probably don't pay enough attention to IT security to make a cogent argument about the relative advantages and disadvantages of various approaches.

  6. Anonymous Coward
    Anonymous Coward

    Bleach chiefs pleached in breach creach impeach veep?

  7. Roger Kynaston

    Florida businessman advice

    Did they "drink their own koolaid" and ingest some bleach?

    Enquiring minds wish to know.

  8. Bebu Silver badge
    Windows

    The line

    In the last 20 years security has gone from being an essential component of the system and network administrators' roles to being purely specialized performance theatre.

    It doesn't suprise me that the wheels regularly fall off with these security muppets, albeit well credentialled, in charge.

    From my viewpoint: you walk in, evaluate the minimum that needs to be done a) immediately b) as soon as possible c) must be done in the very near future etc seq. No dice - walk out. Anything less is culpable complicity.

  9. Reginald O.

    What about...

    The insurance policy?

    I read some time ago computer insurance for malware hacks was extremely cheap. It's so cheap the corporations figured out they only needed to have the lawyers draw up an iron tight TOS and privacy policy then pay for insurance and they were covered.

    One guy was enough for "security" and it was his job to fall on the sword when something happened which was inevitable.

    So, this is different how? Did someone forget to pay the premium?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like