<html><body>
<DIV>I don't think the burden should be on the CEOs, unless the security function reports directly. For many of us, the security function reports into the CIO. We are challenged with constrained budgets and often the security function competes for funding with business driven initiatives. In these situations, the CIO is a principle stakeholder in deciding if information protection recommendations are implemented or not. I've personally witnessed many a circumstance where these types of decisions are filtered from reaching executives higher up in the organization. My .02.</DIV>
<DIV> </DIV>
<DIV>Regards</DIV>
<DIV> </DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">-------------- Original message -------------- <BR>From: "Ghercoias, Catalin" <CGhercoias@TWEC.COM> <BR><BR>> <BR>> I agree with the idea. After all these breaches maybe not necessarily the <BR>> CXX-level executives (maybe the CFO) should be marched to jail but the <BR>> Directors of the IT who have been told by their Managers of Infrastructure <BR>> or Managers of Store Services that there is a potential for a breach and <BR>> "this is what needs to be done/purchased..." but the Director of IT either <BR>> ignored them or said "this is not critical, it can wait". <BR>> <BR>> How many of you Security Engineers, System Administrators, Network <BR>> Administrators, etc. have discovered big problems (or potential big) in your <BR>> networks and you notified your Director of IT only to be given one of the <BR>> answers "this is not critical, we do not have
budget for this, it can wait <BR>> until next year,... or you_fill_in_the_answer_here" or the worse answer I've <BR>> heard -- "this is a risk that the business is willing to assume" ?? <BR>> Especially when you told them that egress traffic should be blocked at the <BR>> firewall level for ... all stores, let's say. <BR>> <BR>> -- C. <BR>> <BR>> <BR>> <BR>> > From: Rich Kulawiec <RSK@GSP.ORG><BR>> > Date: Wed, 9 Apr 2008 08:52:00 -0400 <BR>> > To: <DATALOSS@ATTRITION.ORG><BR>> > Subject: Re: [Dataloss] CEOs deserve jail for data breaches <BR>> > <BR>> > <BR>> > This is an excellent idea. As I wrote the other on another mailing <BR>> > list, the single best thing that could happen for security would <BR>> > be live video of every Cxx-level executive at TJX being marched <BR>> > into Leavenworth -- AFTER being stripped of all personal assets. <BR>> > <BR>> > ---Rsk <BR>> > ______
_________________________________________ <BR>> > Dataloss Mailing List (dataloss@attrition.org) <BR>> > http://attrition.org/dataloss <BR>> > <BR>> > Tenable Network Security offers data leakage and compliance monitoring <BR>> > solutions for large and small networks. Scan your network and monitor your <BR>> > traffic to find the data needing protection before it leaks out! <BR>> > http://www.tenablesecurity.com/products/compliance.shtml <BR>> <BR>> _______________________________________________ <BR>> Dataloss Mailing List (dataloss@attrition.org) <BR>> http://attrition.org/dataloss <BR>> <BR>> Tenable Network Security offers data leakage and compliance monitoring <BR>> solutions for large and small networks. Scan your network and monitor your <BR>> traffic to find the data needing protection before it leaks out! <BR>> http://www.tenablesecurity.com/products/compliance.shtml </BLOCKQUOTE></body></html>