[Dataloss] fringe: Data Breach Fallout: Do CISOs Need Legal Protection?
security curmudgeon
jericho at attrition.org
Fri Aug 1 09:46:43 UTC 2008
---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
http://www.csoonline.com/article/440108/Data_Breach_Fallout_Do_CISOs_Need_Legal_Protection_
By Bill Brenner
Senior Editor
CSO Online
July 30, 2008
In the wake of a data breach, the company's top brass may go looking for
someone to blame. If you are the security chief, chances are it's going to
be you.
It doesn't matter that you warned executives repeatedly that certain
technological or cultural flaws were putting the company at risk, or that
you had to maintain security with a shoestring budget and little or no
staff. Chances are you'll take the fall whether you deserve it or not,
says George Moraetes, a Chicago-based security contractor and executive
board advisor for security event management firm IdentityLogix.
He has watched as some of his CSO acquaintances were blamed for a security
failure or dismissed for trying to blow the whistle over the company's
security holes.
"One friend of mine, the CISO of a credit bureau, blew the whistle on a
security auditor who wasn't following best practices and was making
reporting discrepancies," says Moraetes, an independent consultant. "The
auditor was a friend of the top brass, and the CISO was let go. I know of
three others in Georgia who were fired or demoted for similar reasons."
[...]
More information about the Dataloss
mailing list