This isn’t just another data breach story. This is a leadership crisis that should shake every organization to its core.

Last week, Politico reported that Madhu Gottumukkala, the Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), uploaded sensitive government contracting documents marked “For Official Use Only” into a public version of ChatGPT. Let me repeat that: the person leading America’s civilian cyber defense agency uploaded sensitive federal documents into a publicly accessible AI platform.

This incident occurred last summer and triggered multiple automated security alerts designed to prevent the theft or inadvertent disclosure of government files from federal networks. It prompted a Department of Homeland Security-level review to determine if federal information had been improperly exposed.

This is beyond iIrresponsible.

As a CIO, I’m beyond frustrated. As a U.S. citizen, I’m infuriated.

CISA is the agency responsible for defending federal networks and critical infrastructure against cyber threats from sophisticated adversaries. This is the organization that sets the cybersecurity standards for the rest of the federal government. And its acting director violated the most basic principle of data security: think before you click.

The irony is suffocating. This is the equivalent of a fire chief storing gasoline next to the furnace. It demonstrates a fundamental misunderstanding of the very threats this agency exists to combat.

The “Permission” Defense Doesn’t Hold Water

CISA’s response? A statement claiming Gottumukkala “was granted permission to use ChatGPT with DHS controls in place” and that his use was “short-term and limited.”

Here’s the problem with that defense: permission doesn’t equal judgment. Having access to a tool doesn’t mean you should use it for sensitive materials. According to reports, Gottumukkala specifically requested special access to ChatGPT when other DHS employees were blocked from using it. One official characterized it bluntly: “He forced CISA’s hand into making them give him ChatGPT, and then he abused it.”

This wasn’t an accident. This was a deliberate decision to circumvent security protocols.

When data enters the public version of ChatGPT, it can potentially be incorporated into the model’s training data and exposed to OpenAI’s nearly one billion users. Meanwhile, DHS-approved AI tools like DHSChat are specifically configured to prevent user inputs from leaving federal networks. The secure alternatives existed. They were ignored.

Story continued below…

We’ve Lost the Plot on Basic Security Hygiene

This incident is symptomatic of a larger problem plaguing our industry and government: we’ve wandered dangerously far from the fundamentals.

Remember “think before you click”? Remember when we drilled into every employee’s head that sensitive data stays within approved systems? Remember when security awareness wasn’t just a compliance checkbox but a cultural imperative?

We’ve become so enamored with new technologies, so eager to experiment with AI and automation, that we’ve forgotten the basics. And when leaders forget those basics, the consequences cascade throughout the organization.

Snap out of it.

Leadership Must Mean Something

This isn’t Gottumukkala’s only controversy during his brief tenure. He reportedly failed a counterintelligence polygraph examination last summer and attempted to remove CISA’s CIO in a move that was blocked by other political appointees. As Rep. Bennie Thompson stated: “At best, he’s in over his head, if not unfit to lead.”

I don’t take pleasure in saying this, but when someone demonstrates this level of judgment failure at the highest levels of cybersecurity leadership, there must be accountability. This isn’t about politics. This is about competence, judgment, and the security of our nation’s critical infrastructure.

Leadership in cybersecurity means setting the example. It means being the most paranoid person in the room about data security. It means understanding that your actions set the tone for thousands of employees who look to you for guidance.

The Wake-Up Call We Cannot Ignore

Every CISO, CIO, and security leader should be sharing this story with their teams—not as gossip, but as a cautionary tale. This is what happens when we lose sight of fundamentals. This is what happens when convenience trumps security. This is what happens when leaders believe the rules don’t apply to them.

If the acting director of CISA can make this mistake, anyone can. And that’s precisely why we need to recommit ourselves to the basics:

• Classify your data properly and understand what “For Official Use Only” actually means
• Use approved tools for sensitive information, even if they’re less convenient
• Challenge authority when you see security shortcuts being taken, regardless of who’s taking them
• Lead by example, especially when you’re in positions of trust and responsibility

Moving Forward

We’re at a critical juncture. Nation-state actors are more sophisticated than ever. Ransomware gangs are targeting critical infrastructure. Supply chain attacks are becoming the norm. We cannot afford to have leaders who don’t understand or respect basic security protocols.

This incident should be embarrassing. It should be a wake-up call. Most importantly, it should be the last time we see this level of negligence from cybersecurity leadership.

The question now is: what are we going to do about it? As an industry, as government agencies, as organizations entrusted with sensitive data, we need to demand better. We need to expect more. We need to hold ourselves and our leaders to the highest standards.

Because if we don’t, adversaries will continue to exploit not our technical vulnerabilities, but our human ones. And this incident proves that vulnerability exists at every level.