[ISN] Data Breach Fallout: Do CISOs Need Legal Protection?

From: InfoSec News <alerts_at_private>
Date: Fri, 1 Aug 2008 04:06:27 -0500 (CDT)
http://www.csoonline.com/article/440108/Data_Breach_Fallout_Do_CISOs_Need_Legal_Protection_

By Bill Brenner
Senior Editor
CSO Online
July 30, 2008

In the wake of a data breach, the company's top brass may go looking for 
someone to blame. If you are the security chief, chances are it's going 
to be you.

It doesn't matter that you warned executives repeatedly that certain 
technological or cultural flaws were putting the company at risk, or 
that you had to maintain security with a shoestring budget and little or 
no staff. Chances are you'll take the fall whether you deserve it or 
not, says George Moraetes, a Chicago-based security contractor and 
executive board advisor for security event management firm 
IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a 
security failure or dismissed for trying to blow the whistle over the 
company's security holes.

"One friend of mine, the CISO of a credit bureau, blew the whistle on a 
security auditor who wasn't following best practices and was making 
reporting discrepancies," says Moraetes, an independent consultant. "The 
auditor was a friend of the top brass, and the CISO was let go. I know 
of three others in Georgia who were fired or demoted for similar 
reasons."

[...]


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Fri Aug 01 2008 - 02:06:27 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 01 2008 - 02:21:11 PDT