Cyber Security Headlines: Week in Review (September 12, 2025)

Brief Overview

This episode, hosted by the CISO Series (possibly David Spark), assembles cyber leaders Howard Holton (CEO, GigaOM) and Rob Thiel (CTO, Oklahoma Department of Commerce) to unpack the week's most impactful security stories. Key topics include Qantas penalizing leadership after a massive breach, SAP's critical vulnerabilities, human and organizational failures behind SonicWall VPN flaws, the NSA/Cyber Command leadership model, and the rapid growth in US spyware investment. The hosts dig into the nuances of organizational responsibility, risk models, and the persistent gap between policy and practice, concluding with thoughts on positive industry shifts and vigilance.

Key Discussion Points & Insights

1. SAP’s Critical Vulnerabilities: Trust, Culture, and Shared Responsibility

[02:10 – 05:37]

• Howard’s Take: The week's biggest story is SAP’s multiple high-severity vulnerabilities, including several 10/10 CVSS issues.
  • Quote: “The big question ultimately is when are we going to accept that all of this stuff is a shared responsibility model... The vendor’s responsibility isn’t really the fixing of the things, but to take a proactive attitude that builds trust.” – Howard Holton [02:44]
• Trust Over Technology: Holton emphasizes that trust, not just technology, should be at the core of vendor and organizational response.
  • If trust-building is every executive’s job, not just the technologists', accountability and security improve.
• Rob’s Perspective: The root lies in organizational culture—not just rules or checklists.
  • “Culture is the thing that wins because then people are actually owning what they’re supposed to be doing.” – Rob Thiel [04:10]
  • Failures often reflect cultural weaknesses, not just technical gaps.

2. Qantas Penalizes Executives: Accountability at the Top

[05:51 – 11:52]

• Incident Recap: Qantas slashed annual bonuses for senior leaders by 15% following a cyberattack impacting 5.7 million people; CEO lost $250,000 in pay.
• CISO Responsibility vs. Authority:
  • The hosts criticize the “blame the CISO” approach.
  • “The CISO is not typically director of the company… All the CISO is, is an advisor to the CEO and the board. That’s it… They have no control over what gets done and what’s a priority.” – Howard Holton [07:44]
  • True C-suite/board support and shared accountability are vital.
• Risk Grading & Board Methodologies:
  • Rob raises questions about how boards quantify risk for penalties.
  • Should we grade leaders on incident prevention or response?
• Symbolic Punishments:
  • Producer Steve Prentice calls out the “slap on the wrist” nature of monetary fines.
  • Steve: “I would prefer to see something that reinvests in the people who are doing the defense in depth rather than simply what looks like a slap on the wrist.” [11:29]
  • The panel suggests fines should be redirected to bolster cybersecurity budgets, not just returned to shareholders.
• Societal Impact:
  • Loss of personal data (like Social Security numbers) is often treated with triviality compared to financial fraud, despite the lifelong impact on victims.
  • “Every single Social Security number, it impacts me forever. Why is that less than if you do financial fraud?” – Howard Holton [12:50]

3. SonicWall VPN Flaws: The Persistence of Basic Hygiene Failures

[14:32 – 19:56]

• Background: SonicWall appliances suffered attacks via a year-old flaw, aggravated by poor password rotation and migration processes.
• Operational Failures:
  • Even basic policies like offboarding frequently fail due to poor implementation, politics, and siloed authority.
  • “The number of places that I’ve been where they had a security first policy around account deactivation is effectively zero.” – Howard Holton [15:38]
  • Rob adds: “It really to me is an implementation problem… How that’s missed is beyond me.” [17:06]
• Organizational Politics:
  • The complexity of org charts dilutes accountability, making consensus and execution challenging.
  • “You can track almost every single problem to the org chart… if the circle of that scope goes beyond one C level executive, you’re done.” – Howard Holton [18:56]

4. NSA & Cyber Command: To Split or Not to Split?

[19:56 – 25:55]

• Decision: The US decided to maintain the dual leadership structure, contrary to rumors of a split.
• Benefits & Concerns:
  • Rob argues unified command helps in defensive actions but warns of domestic privacy risks and the necessity of oversight.
    • “When one group only holds power, then you always are going to have abuses of that, which we’ve seen.” – Rob Thiel [21:14]
  • Howard distinguishes between the utility of shared policy frameworks and the dangers of data-sharing and blurred missions.
    • “If we have the same cyber programs, that should absolutely be a top-down decision… However, there should be no data sharing at all.” – Howard Holton [23:10]
  • Calls for “clear missions, clear directives, and an absolute unequivocal… as in it is treason to violate them.” [25:11]

5. Surging US Investment in Spyware Firms

[26:12 – 31:13]

• Finding: American investment in foreign spyware nearly tripled in 2024, making the US the market’s leading funder.
• Corporate and Consumer Implications:
  • With BYOD, risk expands into enterprise, but equally, consumers feel invaded.
  • “If you are willy nilly with your own personal security plans, don’t depend on your enterprise security posture… You should have a plan for yourself.” – Rob Thiel [27:21]
• Legality & Enforcement:
  • Howard questions why spyware is not treated as outright crime/malware.
    • “If it is actually spyware, it needs to be classified as malicious software. It needs to be illegal.” [29:59]
    • Strong call for actual enforcement against firms violating legal or ethical norms. “Capitalism is dead. We need some freaking enforcement.” [31:09]
• Sensationalism in Coverage:
  • The hosts point out that headlines sometimes blur the line between legitimate monitoring tools and illegal spyware.

Notable Quotes & Memorable Moments

• Trust Over Technology:
  “If it’s technology that solves the problem, then the CEO gets an escape… But if it’s build trust is the job, that is your job. Right.”
  – Howard Holton [04:56]

• On Superficial Penalties:
  “This is like a professional hockey player has to sit out one game because of doing something bad on the ice.”
  – Steve Prentice [11:29]

• Data as Lifelong Risk:
  “They lose your Social Security number. Nothing happens. I’m sorry. $1,000 loss is a one time loss event for everyone. Social Security, that is my life. You just gave away my life forever.”
  – Howard Holton [12:50]

• Basic Hygiene Still Challenging:
  “Offboarding should be the very first thing you do for ITSM… If you get offboarding correct, then you know you’re ready to move on to other ITSM workflows.”
  – Howard Holton [17:57]

Timestamps for Major Segments

| Time | Segment/Discussion | |-----------|----------------------------------------------------------------------------| | 02:10 | SAP’s critical vulnerabilities, trust, and shared responsibility | | 05:51 | Qantas penalizes execs; accountability and the CISO’s role | | 11:29 | Are monetary penalties meaningful? | | 14:32 | SonicWall VPN flaws and org failures in basic security hygiene | | 19:56 | NSA & Cyber Command dual leadership decision unpacked | | 26:12 | Tripling of US investment in spyware vendors; legal and ethical debate | | 31:44 | Positive closing thoughts and hope for the industry |

Positive Notes & Industry Outlook

[31:44 – episode end]

• Vigilance as a Daily Practice:
  “Every day I get a little bit of personal joy out of making sure that my systems are as secure as I can make them… Stay vigilant and take it as seriously as you could possibly take it…” – Rob Thiel [31:44]
• More Open, Public Cybersecurity Conversations:
  “I feel like the dialogue has changed… I’m seeing more of this not just here within our group that works in cyber, but… more conversation around cyber security and what this means and, and far more people are curious.” – Howard Holton [32:56]
• Cybersecurity is a Never-Solved Problem:
  “There’s no level of complexity. Cyber security will never be solved. It will never be a finished problem ever… But the fact that we’re all keeping this front of mind, that we’re all having open dialogues… means there is actually hope for all of this.” – Howard Holton [33:55]

In Summary

This episode dives into the intersection of technical, cultural, and political challenges in cybersecurity today, with frank, actionable insights for practitioners and executives alike. The hosts urge a shift from purely technical fixes to trust-based approaches, more meaningful executive accountability, and stronger enforcement and legal clarity—while closing with a reminder of the progress made in industry discourse and individual resilience. If you missed the episode, this summary delivers all the essential takeaways and food for thought.