Beating Around the Proverbial Cybersecurity Bush

If I’ve said it once, I’ve said it a thousand times … until we put real teeth into cybersecurity enforcement and insist upon serious personal legal consequences for those at the top, we won’t see improvement. We’ve beaten around the bush for far too long. How many more breaches, besides the recent JP Morgan Chase, Target and Home Depot catastrophes, will need to happen before we wise up and beat the bush itself? An article by Julie Creswell and Nicole Perlroth in The New York Times of September 20, 2014 has the title “Ex-employees Say Home Depot Left Data Vulnerable – 56 Million Credit Cards – Before Hacker’s Breach, Years of Warnings Were Ignored.” The title alone is devastating, but is surely representative of many companies. Post-breach newspaper articles suggest that, for many of the data breaches that reach the public, there were consistent refusals by management to invest adequately in preserving the security of the personal information assets that have been entrusted to their custody.

I recall what happened with Y2K remediation and why the effort was so successful, although many uninformed individuals still believe that a mountain was made out of a molehill. They think that Y2K was a non-event. After all, we got through it with no major mishaps. But what many don’t realize is that it could have turned into a major global catastrophe had it not been for the legal and regulatory requirements for senior corporate executives and Boards of Directors to guarantee that an appropriate remediation effort had been made. At least in the U.S., senior executives had to sign that their companies had fully remediated all known instances of improper date coding. If they had lied in so testifying and appropriate program changes had been seen not to have been made, the corporate executives and the Board members could have been indicted and might have ended up in jail.

I well remember a CEO saying that he didn’t care how much of the company’s money was spent on Y2K remediation efforts as long as it kept him out of jail. I’m sure that the threat of indictment and subsequent incarceration (if found guilty) would quickly encourage executives to ensure that the best cybersecurity measures are in place and operating effectively.

So that’s it … short and simple. Make senior management and Board members directly responsible for security breaches and criminally culpable if their companies’ data are stolen and negligence or misconduct can be demonstrated. Then, I think, InfoSec professionals’ warnings would be taken very seriously indeed.

One Comment

  1. Jessica Dodson Oct 31, 2014 at 12:00 pm | Permalink

    You never hear about all the security attacks that IT manages to stop, only the ones that sneak past all the defenses. However, when the C-suite doesn’t value cyber security the IT team is often trying to do more with less. They get so got up in the day to day tech issues that security gets pushed further and further to the back burner.

Post a Comment

Your email is never published nor shared. Required fields are marked *