BreachExchange mailing list archives

Re: CEOs deserve jail for data breaches

From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 9 Apr 2008 14:35:45 -0400

On Wed, Apr 09, 2008 at 01:16:31PM -0400, Adam Shostack wrote:

I think we should jail CEOs *and* security pros who get all the budget
they want, and still allow a breach.  

More seriously, it's easy to suggest that others go to jail for not
doing what we want.  I know of few professionals who'd want to accept
the risk of jail time for their errors or omissions.

So if you advocate CEOs in jail, be prepared to join them.


I'm fine with that concept, provided the scale of the punishment
is commensurate with the scope of responsibility.  For example,
if a CEO makes 4M a year and a security analyst makes 100K, then
I expect the CEO to accept 40/41 of the responsibility.  ("With great
power comes great responsibility.")

In part I suppose I think this way because I'm accustomed to taking
on life-and-death responsibilities: I'm a whitewater kayaker and am
often the "sweep boat", which means I go last and am responsible for
the safety of everyone in front me.  (I'm mostly on my own in this
situation, since nobody is watching my back.)  If while scouting a rapid,
I give out bad advice, or if I mis-estimate the ability of one of the
paddlers in the group to handle a particular route, or if I forget
to point out something important, then someone could get into serious
trouble very quickly because of my error.  And even if I get everything
right, someone could still screw up, at which point it's my responsibility
to do anything I can possibly can, including putting myself at risk,
to rescue them.

If I can take on that kind of responsibility, for free, on a routine
basis, knowing that if something goes horribly wrong I will not only
have to live with it (assuming I survive), but may also be sued into
homelessness, then surely someone who is making millions of dollars
a year can be expected to take on a far lesser, non life-and-death
responsibility -- and to endure the consequences if they fail.

If they're not up to that, then perhaps they should step aside in favor
of someone who is.

---Rsk

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

Current thread:

Re: CEOs deserve jail for data breaches, (continued)
- - Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
    - Re: CEOs deserve jail for data breaches Allan Friedman (Apr 09)
    - Re: CEOs deserve jail for data breaches [LONG] Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Casey, Troy # Atlanta (Apr 09)
  - Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
    - Re: CEOs deserve jail for data breaches James Childers (Apr 09)
- Re: CEOs deserve jail for data breaches Mike Simon (Apr 09)
  - Re: CEOs deserve jail for data breaches Adam Shostack (Apr 09)
    - Re: CEOs deserve jail for data breaches Max Hozven (Apr 09)
    - Re: CEOs deserve jail for data breaches Stefan Wahe (Apr 09)
    - Re: CEOs deserve jail for data breaches Rich Kulawiec (Apr 09)
    - Re: CEOs deserve jail for data breaches lyger (Apr 09)
- Re: CEOs deserve jail for data breaches grexpectations (Apr 09)