[ISN] IT Execs on Firing Line Over Security Breaches

From: InfoSec News (alerts@private)
Date: Sun Aug 27 2006 - 22:04:16 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9002764

By Jaikumar Vijayan
August 28, 2006
Computerworld

The cost of data breaches may be getting a lot higher for IT 
professionals who are deemed to be responsible for failing to secure 
corporate information.

For example, Maureen Govern, AOL LLC's chief technology officer, 
abruptly resigned last week in the aftermath of a disclosure that the 
company had publicly released data on searches done by about 650,000 of 
its online subscribers. AOL also fired two workers in its research 
division, which was responsible for the release of the data and had been 
overseen by Govern.

It was the second time this month that high-level technology managers 
lost their jobs because of data breaches. On Aug. 3, Ohio University 
sacked two top IT managers for what it saw as their failure to prevent a 
series of breaches discovered at the Athens-based school in the spring.

In addition, university CIO William Sams announced in July that he will 
resign once someone is found to replace him, saying that "a new energy 
level and skill set" is needed in the school's IT organization. Sams is 
still on the job, though, and he wrote the termination letters sent to 
the two fired managers.

IT managers should expect firings and other harsh disciplinary actions 
to become more common as organizations face increasing public pressure 
to address data breaches that they suffer, said Robert Scott, managing 
partner at Dallas-based law firm Scott & Scott LLP.

"In order for companies to have a credible position in the marketplace, 
they're going to have to explain in a public way what they have done to 
address the issue," Scott said. "The risks that companies face from a 
liability and a reputation perspective are such that when breaches 
occur, people will not only need to be held accountable, but heads will 
have to roll."

Such "forced accountability" is at least partly the result of the 
intense media scrutiny that data breaches now receive, said Bob 
Hartland, director of IT, servers and networking systems at Baylor 
University in Waco, Texas. The attention has heightened public concerns 
and "made a lot of people nervous," he said.

Tim O'Pry, CTO at The Henssler Financial Group in Kennesaw, Ga., said 
that accountability is necessary and that it's reasonable to expect that 
people will lose their jobs if their negligence causes or contributes to 
a security breach.

The problem is that many times, the workers who are held responsible for 
breaches are only following what until then had been accepted practices 
within their companies, O'Pry said. And they may not have had the 
responsibility or authority to change the practices, he noted.

But as companies face increasing pressure to "do something" in the wake 
of a breach, the fallout often means demotions, firings or other 
personnel actions, said O'Pry. That approach is part of a wider tendency 
by corporate officials to deal with data security issues on a reactive 
basis, he added.

"This knee-jerk, after-the-fact mentality is pervasive with many aspects 
of security," O'Pry said.

"Somebody has to take the chop for [breaches]," said Lloyd Hession, 
chief security officer at BT Radianz, a New York-based company that 
offers telecommunications services to the financial industry. "The real 
question, though, is whether it's the right guys' heads that are 
rolling."

Forging closer ties with IT audit teams is a key to survival in the new 
environment, Hession advised. "If you think you have an issue, go to 
Audit and tell them about it," he said. If the audit group concurs that 
a security problem exists, it should be easier to get the resources 
needed to fix it, Hession added.

And if the auditors agree that there's an issue "and nobody does 
anything about it, you probably don't need to be falling on your sword" 
if a data breach does occur, he said.

Companywide outreach and communication also are critical, according to 
Scott.

Managers who are responsible for IT security "need to do a better job of 
articulating a business case [that] suggests that ignoring data security 
and shuffling it to the bottom of the priority list is a recipe for 
disaster," he said.

In addition to the incidents at AOL and Ohio University, the massive 
security breach disclosed by the U.S. Department of Veterans Affairs in 
May resulted in a shake-up that included the resignation of the agency's 
chief information security officer. But the CISO's departure is thought 
to have been driven by his frustration over organizational issues within 
the VA, which traditionally has split most IT and security 
responsibilities among its three main operating divisions.


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Sun Aug 27 2006 - 22:20:40 PDT