An international survey conducted by Websense reveals that 30% of respondents think that CEOs and board members at companies where a data breach occurred should be jailed. Now, I wouldn’t find this too surprising, except that it was a survey done on security professionals at the 2009 e-Crime Congress. That’s got me scratching my head.
The use of firewalls, data redaction, data encryption, and other data loss prevention and information security measures can radically minimize data security breaches. However, it’s also agreed that the same can only do so much.
For example, how are these technologies going to prevent the “grand poobah” database administrator from copying data to a USB disk which will subsequently be sold to the competition? They can’t. And if said admin is also in charge of the logs, he can get rid of his activities. (The trick is to have someone else in charge of the logs, but there are other issues as well: how do you differentiate the illegal activity from normal operations?)
Obviously, there’s very little one can do in instances like the above. It’s the classic case of who’s going to police the police. I can tell you, it’s not going to be the CEOs–they generally don’t have the necessary skills.
And that brings me back to my head-scratching. Will jailing CEOs for data breaches really make a difference? Isn’t that similar to updating firewalls after hackers get through or installing full disk encryption like AlertBoot on laptops after computers get stolen or lost? (Which is what’s happening currently.)
Maybe what they meant is that CEOs should feel the pressure to really take a good look at their company’s data security measures. But that can be achieved via other methods: 62% of the survey respondents opined that companies should be fined (not sure if there’s any overlap with the jail-the-CEO crowd) for breaches. Make the fine big enough, and CEOs are bound to take notice.
Also, this is just a guess, but I figure the CEOs wouldn’t really change their priorities even if they face the potential for jail time. The reason? Most people–CEOs included–pay scant attention to data security not because they don’t have a personal stake, but because they believe it won’t happen to them.
It’s like jaywalkers: the threat of being run over is not enough to prevent them from crossing at designated areas because they don’t think they’ll ever become roadkill.
Will jail time for CEOs get their attention? Sure. Will it prompt them to assign priority to data security over the bottom line? Doubtful.
Related Articles and Sites: