SAN FRANCISCO — Former Truvex Technologies CISO Derek Mallory was sentenced to 18 months in prison this week for “failing to prevent a breach despite reasonable effort and partial success.”
Mallory, 44, ran what colleagues described as a “decent” security program: MFA everywhere, quarterly patch cycles, even a phishing simulation that caught most of marketing. But the company was breached anyway — after a marketing intern clicked an email promising “AI-generated sales leads.”
Attackers gained access to Truvex’s Azure environment and leaked customer data within hours. Despite having warned leadership repeatedly, Mallory was charged under the new Corporate Cyber Accountability Act, which makes CISOs criminally liable for not preventing every possible incident.
“He did what every CISO does,” said one engineer. “Made a plan, got half the budget, prayed for the rest.”
Executives faced no consequences. The CEO, who’d previously cut the security budget to fund a rebrand, said Mallory “failed to align with our culture of accountability.” The CRO, who kept public customer data online “for conversion optimization,” received a bonus.
Prosecutors argued Mallory “should have known” the intern would click the phishing link, citing three prior failed phishing tests. The defense presented Slack messages showing he’d warned about this exact risk. The jury was unmoved.
“If a plane crashes, we blame the pilot,” said prosecutor Amy Renfield. “Why should cybersecurity be different?”
Security researchers called the analogy absurd. “Planes don’t have passengers installing Chrome extensions called CryptoMiner Enhancer mid-flight,” said one.
In the aftermath, vendors rushed to capitalize. CrowdArmor launched “Protect Your Org — and Your Freedom”, promising “AI-powered legal defensibility.” Consulting firm DPMC now offers “CISO Liability Readiness Assessments” for $250,000.
Truvex stock rose 6% after the sentencing. The company posted a new job listing for CISO, promising “competitive pay, unlimited PTO, and a high tolerance for prison risk.”
Applications close Friday.
About the Author
The Exploit Staff
Guest ContributorThe editorial team at The Exploit - bringing you the most absurd cybersecurity news before it's patched.
Subscribe before we're patched
Like a vitamin you ingest with your eyes. The best cybersecurity parody, delivered.
