Re: CEOs deserve jail for data breaches

["Mike Simon" <msimon () creationlogic com>]

So, everyone here that's advocating jail time for CEOs believes that the CEO
fully understood the risk that was being undertaken by their IT
infrastructure, policies and behavior and consciously and deliberately chose
to accept that risk and potential financial consequences?

Generally when a corporate executive does something stupid, the acceptable
consequences are fines, which escalate based on how stupid the action was,
and how much the exec could have been expected to know and prevent the
stupidity. We generally perserve criminal prosecution for executives who can
he shown to fully understand their actions (and more rarely lack of action)
and then performed acts which were contrary to the welfare of the company or
stockholders which are of direct benefit to themselves.

It would be an amusing exercise to postulate what other kinds of things CEOs
should receive jail time for in light of this new concept. If they choose
biofuel over fuel cells and loose a billion dollars for investors, even
though everyone was telling them that fuel cells were the way to go, should
we lock them up? The impact to individuals is potentially greater than a
data breach, since there is no remedy and it's a guaranteed loss for
everyone. People were telling the CEO that he shouldn't do what he was
doing, and they were right. What's the apropriate jail time for that bad
decision, versus not insisting that IT processes and proceedures be audited
every 6 months?

I'm on the side of responsibility and safety here, but folks seem ready to
crucify the execs based on little or no evidence that their actions had
anything to do with the event. If a material lack of competency on the part
of a CEO is reason for jail, shouldn't we translate that all the way down
the line? If information is compromised because an IT manager failed to take
well known precautions, or missed installing mailware protection on a
critical server, do we send the CEO or the manager to jail (or both?) The
CEO approved the expense, and expected that it was happening per policy, but
the manager caused the data breach though their own incompetence. Since the
new standard is jail time for the person responsible, the manager should now
be facing jail, right? In many ways there is a better arguement for sending
the manager to jail, since the material lack of competence is very closely
related to their expected competencies and they screwed up anyway.

I'll end the rant with the idea that we as security professionals haven't
done our job until the Cxxs UNDERSTAND the risk that we are expressing well
enough to make informed decisions. Just telling an executive that there is a
risk, even if you quantify it, isn't enough. We have an especially difficult
job in that we need to successfully translate some pretty arcane statistical
concepts of risk into a continuous educational program that allows
executives to make good decisions based on understanding of a fairly complex
field. Anything less and we haven't done our job.

Mike Simon
On Wed, Apr 9, 2008 at 1:32 AM, security curmudgeon <jericho () attrition org>
wrote:

> ---------- Forwarded message ----------
> From: InfoSec News <alerts () infosecnews org>
>
> http://www.techworld.com/security/news/index.cfm?newsID=11924
>
> By John E. Dunn
> Techworld
> 08 April 2008
>
> A growing number of security pros believe that the way to stop data
> breaches from happening is simple as it is stark - send the CEOs or board
> members deemed responsible to jail.
>
> The opinion emerged from a survey by security mainstay Websense at the
> recent UK e-Crime Congress, which polled 107 security professionals on
> their opinions. Seventy-nine percent believed that companies should be
> fined for data breaches . something that does already happen in some cases
> in the UK . while 59 percent were in favour of compensation for consumers
> affected by a breach.
>
> The most striking view of all was that the time had come to punish serious
> data breaches with jail time for senior staff, with 25 percent rating that
> as a necessary step. Only three percent were against any form of
> legally-enforceable punishment.
>
> [..]
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml