THE BURNED OVER DISTRICT

Why would anybody take a job with the responsibility for cyber security of a large corporation? The heart of all cyber security is the knowledge that if someone can make it, someone can break it. If not today then tomorrow.

“It’s about the only executive-level job I can think of where you are 100 percent accountable for the failures to come even though it’s a guarantee that (they) will happen at some point,” Cunningham said.

“It’s like playing chess with a blindfold on,” added Cunningham. “You cannot win.”

Tech honchos blame their higher-ups — the bosses who don’t understand the threats, don’t want to spend money in an area that has no apparent return and don’t want to take responsibility when things go awry.

The job of CISO (pronounced see-so) used to be the digital equivalent of stocking the moat around the castle with crocodiles and making sure the drawbridge functioned.

“In the past, it was about defending the perimeter,” said Godfrey R. Sullivan, a former chief executive and current chairman of Splunk, a San Francisco company that produces software to analyze high volumes of machine-generated data.

But Sullivan said conditions have changed. Most likely, hackers have already gotten past the perimeter and reside in target networks.

“The bad guys are in your building,” Sullivan said. Information security officers nowadays have to hone their skills at continuous analysis of data entering and leaving the networks, he added.

Indeed, breaches may be inevitable.

“The long-time folks have been saying, it’s not ‘if’ but ‘when,’” said Rich Barger, director of security research at Splunk.

CISOs get in trouble, Sullivan said, when they discover breaches and don’t act quickly. That may have happened at Equifax.

According to security researcher Brian Krebs, one of the vulnerabilities of Equifax was at its Argentine operations, when hackers discovered they could access its website by typing in “admin” at login and “admin” at password. Another vulnerability involved failure of Equifax to patch a known security hole in its website application software that came to light in March.

“They say that happened in March. Well, what happened between March and now?” Sullivan asked.

With a breach guaranteed, you will get judged on your response to the breach. Nevertheless, it is a field with greater demand than supply of people, even capable failures can move to another position.