In a move that has raised concerns about the company's cybersecurity posture, Amy Bogac, Clorox's CISO, has stepped down from her position. Bogac's departure comes as the company is still recovering from a devastating cyberattack that paralyzed its order fulfillment facilities for more than a month and led to a 20% decline in net revenue in the first quarter of the fiscal year.
The reasons behind Bogac's departure have not been publicly disclosed, but her decision to step down during such a critical time for Clorox's cybersecurity efforts has raised concerns among experts and investors alike. Some speculate that Bogac may have been frustrated with the company's slow response to the cyberattack and its lack of investment in cybersecurity measures. Others suggest that she may have simply felt overwhelmed by the challenges of leading the company's cybersecurity efforts in the aftermath of such a significant breach.
"For CISOs, the 'C' in the title designates a considerable degree of responsibility for material business value. An intense failure within your domain, especially one that detrimentally affects investors, leaves the leader to bear the brunt," said Sabino Marquez, CISO at Cognota Software, who last week gave a keynote on "Running Cybersecurity as a Business" at SecureWorld Seattle.
"Clorox, being a public company, leaves its CISO with fiduciary duties in both fact and act (even if not explicitly mentioned)," Marquez said. "Given this, leaders must be ready to confront the consequences of cybersecurity failures that inflict financial harm to investors. Conversely, if a CISO is to be held accountable in the same manner as a CFO or General Counsel concerning matters of investor confidence, the executive contours of the CISO role should be revisited to ensure that it has sufficient authority, agency, and institutional backing to defend data assets as a fiduciary."
Glenn Kapetansky, CSO and Technology Lead at Trexin, had this to say about Bogac, whom he knows well:
"I know Amy Bogac both professionally and personally, and she is well regarded in both circles. It is a stressful reality that incidents continue to increase somewhere in our ecosystem even as those ecosystems grow in complexity and our companies' reliance on them," Kapetansky said. "We CISOs have responded with better tools and training, of course, but also emphasizing resilience and mitigation. Having said all that, the CISO is the visible head of cybersecurity, and however fairly or unfairly is held accountable."
Whatever the reasons for the departure, Bogac's exit is a setback for Clorox as it grapples with the ongoing fallout from the security incident and the increasing sophistication of cyber threats. The company now faces the task of finding a new CISO who can not only restore trust in its cybersecurity capabilities but also lead the company into the future.
"Assuming Bogac knew the environment was vulnerable before the incident, if she withheld this from the responsible executives, then she should be fired," said Jared Pfost, independent consultant and former Security Assurance Director at The Walt Disney Company. "However, if she informed the executive committee of the risk and they accepted it by not acting, then she should be rewarded. Unfortunately, sometimes CIOs do not want CISOs to be transparent with the executive committee. The CISO implicitly accepts the risk and is rewarded for not rocking the boat, until an incident happens."
The challenges of securing a global supply chain
Clorox's cyberattack is just one of many recent incidents that have highlighted the growing security risks associated with global supply chains. As companies increasingly rely on third-party vendors and suppliers, their attack surfaces expand, making them more vulnerable to malicious actors.
In the case of Clorox, the cyberattack disrupted the company's ability to deliver products to its customers, causing significant financial losses. The attack also exposed sensitive customer data, potentially damaging the company's reputation and customer trust.
The need for strong cybersecurity leadership
Amidst these growing cybersecurity threats, the role of the CISO has become increasingly important. CISOs are responsible for overseeing and managing a company's cybersecurity program, which includes protecting its networks, data, and systems from cyberattacks.
In today's complex and interconnected world, CISOs need to be able to think strategically and communicate effectively with senior management, as well as have a deep understanding of cybersecurity technologies and best practices. They also need to be able to build and manage a team of skilled cybersecurity professionals, despite very challenging workforce dynamics.
Clorox's search for a new CISO will be critical to the company's ability to recover from the cyber incident and build a more resilient security posture. The company will undoubtedly search for a leader who can not only address the immediate challenges but also guide the company into the future of cybersecurity.