BreachExchange mailing list archives
Re: CEOs deserve jail for data breaches
From: Stefan Wahe <stefan.wahe () doit wisc edu>
Date: Wed, 09 Apr 2008 13:18:03 -0500
In reading through the thread it seems that we are quick to want to point the finger. As a security professional we definitely attempt to communicate the need for implementing technical controls and implementing procedures that will mitigate a risk to PII. CEO's may listen but do they understand. Once there is more accountability then there will be more of an interest from CEOs or middle management to spend time understanding the threats, the impact and likelihood of those threats and be able to weigh them against the cost of implementing technical controls or procedures as well as implementing and enforcing policy. Seems like there are an awful lot of laptops wondering off (stolen/lost) with sensitive data. If there is a company policy stating mobile devices should not store such PII data, are these employees being fired? Why aren't there controls preventing them from copying the data to the device? Now if the CEO is not creating and enforcing these policies, then his/her board of directors should be considering their employment status. But then again, where is the common understanding between the CISO, Business Partners, CEO, BoD and technologists? Stefan Wahe Max Hozven wrote:
My 2 cents is that we should make sure that whistle-blowers are protected and a large portion of fines collected go to potential victims of identity theft (as opposed to all going down some rat-hole of a government bureaucracy. Sending CEO's to jail for actions of someone way down the food-chain could have the undesired effect of not having good people want to be CEO's anymore, and in this economic situation, we need all the good people we can get at the top. -Max Note: Opinions expressed are that of myself only. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Adam Shostack Sent: Wednesday, April 09, 2008 10:17 AM To: Mike Simon Cc: security curmudgeon; dataloss () attrition org Subject: Re: [Dataloss] CEOs deserve jail for data breaches On Wed, Apr 09, 2008 at 09:09:33AM -0700, Mike Simon wrote: | It would be an amusing exercise to postulate what other kinds of | things CEOs should receive jail time for in light of this new concept. | If they choose biofuel over fuel cells and loose a billion dollars for | investors, even though everyone was telling them that fuel cells were | the way to go, should we lock I think we should jail CEOs *and* security pros who get all the budget they want, and still allow a breach. More seriously, it's easy to suggest that others go to jail for not doing what we want. I know of few professionals who'd want to accept the risk of jail time for their errors or omissions. So if you advocate CEOs in jail, be prepared to join them. Adam _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: CEOs deserve jail for data breaches, (continued)
- Re: CEOs deserve jail for data breaches Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
- Re: CEOs deserve jail for data breaches Allan Friedman (Apr 09)
- Re: CEOs deserve jail for data breaches [LONG] Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
- Re: CEOs deserve jail for data breaches Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Casey, Troy # Atlanta (Apr 09)
- Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
- Re: CEOs deserve jail for data breaches James Childers (Apr 09)
- Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
- Re: CEOs deserve jail for data breaches Mike Simon (Apr 09)
- Re: CEOs deserve jail for data breaches Adam Shostack (Apr 09)
- Re: CEOs deserve jail for data breaches Max Hozven (Apr 09)
- Re: CEOs deserve jail for data breaches Stefan Wahe (Apr 09)
- Re: CEOs deserve jail for data breaches Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches lyger (Apr 09)
- Re: CEOs deserve jail for data breaches Adam Shostack (Apr 09)