- Capital One's chief information security officer (CISO), Michael Johnson, is moving from his role following the July disclosure of a data breach that exposed up to 106 million customers' data, a bank spokesperson told Industry Dive on Thursday in an email.
- Johnson will remain at Capital One as an adviser, focused on the bank's ongoing response to the data breach. Meanwhile, the bank appointed Mike Eason as interim CISO and head of cyber. Eason previously served as the CIO for Capital One's commercial bank. Capital One is conducting an external search for a new CISO.
- Capital One employees cited high turnover in the cybersecurity unit before the breach, according to an August report in The Wall Street Journal. Some employees said Johnson's management style was unsuited to the public sector — he had previously worked for the federal government — and many "initial direct reports" left for other positions, The Journal reported. Capital One's cybersecurity organization frequently overstepped its budget, according to the report.
CISOs will often fall on their sword in light of a cyber event. Other times, it's not their choice.
Although it's seldom one person's responsibility covers all facets of security, the onus of a breach still falls on the shoulders of the CISO.
Prior to joining Capital One and the private sector, Johnson served in IT and security roles in the Department of Homeland Security, the White House and the Department of Energy, according to his LinkedIn page.
Capital One's public cloud-first strategy relies on Amazon Web Services, as opposed to private clouds and internal firewalls.
Former Amazon Web Services employee Paige "erratic" Thompson is accused of exploiting the "Server-Side Request Forgery" vulnerability to gain access to data from customers who applied for credit cards between 2005 and 2019. Thompson was released from federal custody Tuesday as she awaits trial.