<div>So, everyone here that's advocating jail time for CEOs believes that the CEO fully understood the risk that was being undertaken by their IT infrastructure, policies and behavior and consciously and deliberately chose to accept that risk and potential financial consequences? </div>
<div> </div>
<div>Generally when a corporate executive does something stupid, the acceptable consequences are fines, which escalate based on how stupid the action was, and how much the exec could have been expected to know and prevent the stupidity. We generally perserve criminal prosecution for executives who can he shown to fully understand their actions (and more rarely lack of action) and then performed acts which were contrary to the welfare of the company or stockholders which are of direct benefit to themselves.</div>
<div><br>It would be an amusing exercise to postulate what other kinds of things CEOs should receive jail time for in light of this new concept. If they choose biofuel over fuel cells and loose a billion dollars for investors, even though everyone was telling them that fuel cells were the way to go, should we lock them up? The impact to individuals is potentially greater than a data breach, since there is no remedy and it's a guaranteed loss for everyone. People were telling the CEO that he shouldn't do what he was doing, and they were right. What's the apropriate jail time for that bad decision, versus not insisting that IT processes and proceedures be audited every 6 months?</div>
<div> </div>
<div>I'm on the side of responsibility and safety here, but folks seem ready to crucify the execs based on little or no evidence that their actions had anything to do with the event. If a material lack of competency on the part of a CEO is reason for jail, shouldn't we translate that all the way down the line? If information is compromised because an IT manager failed to take well known precautions, or missed installing mailware protection on a critical server, do we send the CEO or the manager to jail (or both?) The CEO approved the expense, and expected that it was happening per policy, but the manager caused the data breach though their own incompetence. Since the new standard is jail time for the person responsible, the manager should now be facing jail, right? In many ways there is a better arguement for sending the manager to jail, since the material lack of competence is very closely related to their expected competencies and they screwed up anyway.</div>
<div> </div>
<div>I'll end the rant with the idea that we as security professionals haven't done our job until the Cxxs UNDERSTAND the risk that we are expressing well enough to make informed decisions. Just telling an executive that there is a risk, even if you quantify it, isn't enough. We have an especially difficult job in that we need to successfully translate some pretty arcane statistical concepts of risk into a continuous educational program that allows executives to make good decisions based on understanding of a fairly complex field. Anything less and we haven't done our job.</div>
<div> </div>
<div>Mike Simon</div>
<div class="gmail_quote">On Wed, Apr 9, 2008 at 1:32 AM, security curmudgeon <<a href="mailto:jericho@attrition.org">jericho@attrition.org</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br><br>---------- Forwarded message ----------<br>From: InfoSec News <<a href="mailto:alerts@infosecnews.org">alerts@infosecnews.org</a>><br>
<br><a href="http://www.techworld.com/security/news/index.cfm?newsID=11924" target="_blank">http://www.techworld.com/security/news/index.cfm?newsID=11924</a><br><br>By John E. Dunn<br>Techworld<br>08 April 2008<br><br>A growing number of security pros believe that the way to stop data<br>
breaches from happening is simple as it is stark - send the CEOs or board<br>members deemed responsible to jail.<br><br>The opinion emerged from a survey by security mainstay Websense at the<br>recent UK e-Crime Congress, which polled 107 security professionals on<br>
their opinions. Seventy-nine percent believed that companies should be<br>fined for data breaches . something that does already happen in some cases<br>in the UK . while 59 percent were in favour of compensation for consumers<br>
affected by a breach.<br><br>The most striking view of all was that the time had come to punish serious<br>data breaches with jail time for senior staff, with 25 percent rating that<br>as a necessary step. Only three percent were against any form of<br>
legally-enforceable punishment.<br><br>[..]<br>_______________________________________________<br>Dataloss Mailing List (<a href="mailto:dataloss@attrition.org">dataloss@attrition.org</a>)<br><a href="http://attrition.org/dataloss" target="_blank">http://attrition.org/dataloss</a><br>
<br>Tenable Network Security offers data leakage and compliance monitoring<br>solutions for large and small networks. Scan your network and monitor your<br>traffic to find the data needing protection before it leaks out!<br>
<a href="http://www.tenablesecurity.com/products/compliance.shtml" target="_blank">http://www.tenablesecurity.com/products/compliance.shtml</a><br></blockquote></div><br>