[Dataloss] CEOs deserve jail for data breaches
Rich Kulawiec
rsk at gsp.org
Wed Apr 9 18:35:45 UTC 2008
On Wed, Apr 09, 2008 at 01:16:31PM -0400, Adam Shostack wrote:
> I think we should jail CEOs *and* security pros who get all the budget
> they want, and still allow a breach.
>
> More seriously, it's easy to suggest that others go to jail for not
> doing what we want. I know of few professionals who'd want to accept
> the risk of jail time for their errors or omissions.
>
> So if you advocate CEOs in jail, be prepared to join them.
I'm fine with that concept, provided the scale of the punishment
is commensurate with the scope of responsibility. For example,
if a CEO makes 4M a year and a security analyst makes 100K, then
I expect the CEO to accept 40/41 of the responsibility. ("With great
power comes great responsibility.")
In part I suppose I think this way because I'm accustomed to taking
on life-and-death responsibilities: I'm a whitewater kayaker and am
often the "sweep boat", which means I go last and am responsible for
the safety of everyone in front me. (I'm mostly on my own in this
situation, since nobody is watching my back.) If while scouting a rapid,
I give out bad advice, or if I mis-estimate the ability of one of the
paddlers in the group to handle a particular route, or if I forget
to point out something important, then someone could get into serious
trouble very quickly because of my error. And even if I get everything
right, someone could still screw up, at which point it's my responsibility
to do anything I can possibly can, including putting myself at risk,
to rescue them.
If I can take on that kind of responsibility, for free, on a routine
basis, knowing that if something goes horribly wrong I will not only
have to live with it (assuming I survive), but may also be sued into
homelessness, then surely someone who is making millions of dollars
a year can be expected to take on a far lesser, non life-and-death
responsibility -- and to endure the consequences if they fail.
If they're not up to that, then perhaps they should step aside in favor
of someone who is.
---Rsk
More information about the Dataloss
mailing list