BreachExchange mailing list archives
Re: CEOs deserve jail for data breaches
From: Rich Kulawiec <rsk () gsp org>
Date: Wed, 9 Apr 2008 14:35:45 -0400
On Wed, Apr 09, 2008 at 01:16:31PM -0400, Adam Shostack wrote:
I think we should jail CEOs *and* security pros who get all the budget they want, and still allow a breach. More seriously, it's easy to suggest that others go to jail for not doing what we want. I know of few professionals who'd want to accept the risk of jail time for their errors or omissions. So if you advocate CEOs in jail, be prepared to join them.
I'm fine with that concept, provided the scale of the punishment is commensurate with the scope of responsibility. For example, if a CEO makes 4M a year and a security analyst makes 100K, then I expect the CEO to accept 40/41 of the responsibility. ("With great power comes great responsibility.") In part I suppose I think this way because I'm accustomed to taking on life-and-death responsibilities: I'm a whitewater kayaker and am often the "sweep boat", which means I go last and am responsible for the safety of everyone in front me. (I'm mostly on my own in this situation, since nobody is watching my back.) If while scouting a rapid, I give out bad advice, or if I mis-estimate the ability of one of the paddlers in the group to handle a particular route, or if I forget to point out something important, then someone could get into serious trouble very quickly because of my error. And even if I get everything right, someone could still screw up, at which point it's my responsibility to do anything I can possibly can, including putting myself at risk, to rescue them. If I can take on that kind of responsibility, for free, on a routine basis, knowing that if something goes horribly wrong I will not only have to live with it (assuming I survive), but may also be sued into homelessness, then surely someone who is making millions of dollars a year can be expected to take on a far lesser, non life-and-death responsibility -- and to endure the consequences if they fail. If they're not up to that, then perhaps they should step aside in favor of someone who is. ---Rsk _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- Re: CEOs deserve jail for data breaches, (continued)
- Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
- Re: CEOs deserve jail for data breaches Allan Friedman (Apr 09)
- Re: CEOs deserve jail for data breaches [LONG] Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches Ghercoias, Catalin (Apr 09)
- Re: CEOs deserve jail for data breaches Casey, Troy # Atlanta (Apr 09)
- Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
- Re: CEOs deserve jail for data breaches James Childers (Apr 09)
- Re: CEOs deserve jail for data breaches Eric Nelson (Apr 09)
- Re: CEOs deserve jail for data breaches Mike Simon (Apr 09)
- Re: CEOs deserve jail for data breaches Adam Shostack (Apr 09)
- Re: CEOs deserve jail for data breaches Max Hozven (Apr 09)
- Re: CEOs deserve jail for data breaches Stefan Wahe (Apr 09)
- Re: CEOs deserve jail for data breaches Rich Kulawiec (Apr 09)
- Re: CEOs deserve jail for data breaches lyger (Apr 09)
- Re: CEOs deserve jail for data breaches Adam Shostack (Apr 09)