The Equifax ex-CEO throwing an unnamed technician under the bus for the Equifax breach is positively maddening. Some thoughts:

There is never a single person at fault for a poor engineering decision. That isn't me as an engineer talking; that is Management 101.

We would laugh out of the room a CEO who said "The reason that we didn't file our taxes last year was an employee forgot to buy a stamp."

"And you didn't notice?" "No, we just assume that the Tax Stamp Buyer always buys stamps." "And who do they report to?" "Uh no one."

Think how much you can deduce about Equifax's security posture from the complaint that a single email getting not read enables this.

There is no ticketing system employed, because a ticketing system would (unlike email) show evidence of work being requested but not done.

There is no two-man rule for changes to critical systems, because that would produce another person with direct knowledge of this issue.

There is no culture of follow-through in the org, because the person reporting the vulnerability thought tossing over transom was "OK, done"

There is no centralized list, anywhere, of what software is deployed and what version it is. There is no process run against that list.

There are either no automated scans of deployed systems or they are severely deficient.

Management, up to and including the CEO, was aware of these deficiencies in controls and did not correct them, for years.

This is the sort of situation in which a Japanese CEO would resign while taking the blame for a lax managerial environment. That is correct.

Speaking of failures in leadership: if your immediate instinct as a leader is not to protect your team then what leader are you?

Congress is filled with idiots who can't insert a floppy disk correctly, and they want their pound of flesh. Alright, sucks. OFFER YOURS.

Equifax is entertaining questions on the employment status of the employee they blamed for this, because they blamed an employee for this.

At least they're saying "No comment" on that, but comment should never have been asked for, because CEO/CTO/etc should have jumped on this.

Also, since security is a process rather than a single binary event, there were numerous opportunities to improve even if compromised.

Banks expect to get robbed! They don't expect to get robbed of Literally All Of The Money because it was kept in a single unlocked room.

Equifax had terabytes of data exfiltrated off of their network. "And did we notice it?" "Nope." "And whose job was it to notice?" "..."

You would hope that a company with critical information would have wargamed out breach scenarios years ago and put in layers of defense.

"OK, if they pop a server, what do we do?" "An alarm is raised; we push the Madagascar button." "The what?" "Shut. Down. Everything."

I will bet at 100 to 1 odds that Equifax has no Madagascar button, the utility of which is obvious years before any particular breach.

I would also bet that Equifax did not think of the question "Who has the authority to push the Big Red Button?", which serious orgs do.

Here's another win for Japanese mgmt (we do get *some* things right): en.wikipedia.org/wiki/Andon_(ma… Literally anyone can push the Big Red Button.

There is a large car company that you're aware of which begins its training about Big Red Buttons with reasons why janitors have pushed it.

"But why would you let a janitor cost the company millions of dollars?" Because we made a considered decision about tolerances and quality.

Equifax has apparently not made that considered decision, which is the same thing as making a considered decision... they chose this outcome