CISO isn't a technical role
It's my job to talk with CISOs. I've discovered there are a few types:
1) former 'technical' person. Probably worked on a SOC team or did some red teaming at some point in their carrier. They view CISO as 'defend the network'. These guys tend to fail in the boardroom but tend do a competent job with what little budget they get.
2) former 'cops'. Law enforcement, legal backgrounds, program managers for TLAs etc. They view being a CISO as 'risk management'. Do somewhat better with the board room, but also tend to be a bit brittle since they have impostor syndrome pretty hard with their technical team that reports to them.
2b) Subset of 2 that has done X things that have now 'solved security'. These are the ones that get hacked hard.
And finally, I'll take objection to the Senators statement:
"The cyberattack against UHG could have been prevented had UHG followed industry best practices," said Wyden, concluding his rousing letter-cum-tirade. "UHG's failure to follow those best practices, and the harm that resulted, is the responsibility of the company's senior officials including UHG's CEO and board of directors"
MFA is a good thing, but the REAL question is how did somebody already have credentials? They were already breached, and they still haven't found root cause.