[Dataloss] CEOs deserve jail for data breaches

Stefan Wahe stefan.wahe at doit.wisc.edu
Wed Apr 9 18:18:03 UTC 2008 

In reading through the thread it seems that we are quick to want to 
point the finger.  As a security professional we definitely attempt to 
communicate the need for implementing technical controls and 
implementing procedures that will mitigate a risk to PII.  CEO's may 
listen but do they understand.  Once there is more accountability then 
there will be more of an interest from CEOs or middle management to 
spend time understanding the threats, the impact and likelihood of those 
threats and be able to weigh them against the cost of implementing 
technical controls or procedures as well as implementing and enforcing 
policy. 

Seems like there are an awful lot of laptops wondering off (stolen/lost) 
with sensitive data.  If there is a company policy stating mobile 
devices should not store such PII data, are these employees being 
fired?  Why aren't there controls preventing them from copying the data 
to the device? 

Now if the CEO is not creating and enforcing these policies, then 
his/her board of directors should be considering their employment 
status.  But then again,  where is the common understanding between the 
CISO, Business Partners, CEO, BoD and technologists?

Stefan Wahe

Max Hozven wrote:
> My 2 cents is that we should make sure that whistle-blowers are
> protected
> and a large portion of fines collected go to potential victims of
> identity theft 
> (as opposed to all going down some rat-hole of a government bureaucracy.
>
> Sending CEO's to jail for actions of someone way down the food-chain
> could have
> the undesired effect of not having good people want to be CEO's anymore,
> and in this
> economic situation, we need all the good people we can get at the top.
>
> -Max
>  Note: Opinions expressed are that of myself only.
>
> -----Original Message-----
> From: dataloss-bounces at attrition.org
> [mailto:dataloss-bounces at attrition.org] On Behalf Of Adam Shostack
> Sent: Wednesday, April 09, 2008 10:17 AM
> To: Mike Simon
> Cc: security curmudgeon; dataloss at attrition.org
> Subject: Re: [Dataloss] CEOs deserve jail for data breaches
>
> On Wed, Apr 09, 2008 at 09:09:33AM -0700, Mike Simon wrote:
> | It would be an amusing exercise to postulate what other kinds of 
> | things CEOs should receive jail time for in light of this new concept.
>
> | If they choose biofuel over fuel cells and loose a billion dollars for
>
> | investors, even though everyone was telling them that fuel cells were 
> | the way to go, should we lock
>
> I think we should jail CEOs *and* security pros who get all the budget
> they want, and still allow a breach.  
>
> More seriously, it's easy to suggest that others go to jail for not
> doing what we want.  I know of few professionals who'd want to accept
> the risk of jail time for their errors or omissions.
>
> So if you advocate CEOs in jail, be prepared to join them.
>
> Adam
>
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor
> your traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>

More information about the Dataloss mailing list