The buck stops with the boss on security

With the threat of porridge if customer data falls into the wrong hands, opinion is divided on who takes the blame, says Mark Samuels

Written by Mark Samuels

Computing, 24 Apr 2008

“The risk of going to jail usually pushes information security up the boardroom agenda,” conclude Jon Fell and John Skelton in their feature on e-crime.

Fair enough, I guess – the integrity of customer data has to be a crucial business priority. But who should really call the shots when it comes to security, the IT department or the business?

A recent survey by Websense suggested 95 per cent of security professionals believe the chief executive should be held accountable for a breach, with a quarter of respondents believing the boss should go to jail in the event of a consumer data incident.

Tough talking from the IT professionals – and the survey also found just five per cent of security experts believe ultimate responsibility for a breach lies with the IT department, a huge drop from 21 per cent in 2007.

Are such hard-hitting opinions reasonable or are we looking at a case of IT professionals attempting to pass the buck?

Chief security officers (CSOs) certainly think so, with conference specialist Infosecurity Europe suggesting many are very concerned about the integrity of their application code.

No one would blame security professional for playing their "get out of jail free" card, especially with the hype surrounding data loss

Mark Samuels features editor, Computing

As many as 75 per cent of European businesses think their applications contain security holes that can be exploited by criminals, according to Infosecurity Europe – and CSOs say they would welcome an initiative to raise awareness of security among the developer community.

IT leaders, then, blame the followers. But let’s be honest, no one would blame security professionals for playing their “get out of jail free” card, especially with the media hype surrounding customer data loss.

Such incidents have placed increased pressure on firms to ensure their systems and policies are up to date and in line with current regulatory demands.

Take the recently enforced Companies Act, which gives enhanced rights to auditors to obtain information. The Act states directors must disclose accurate information to auditors.

Board members who include false information run the risk of eating porridge at Her Majesty’s pleasure.

Security chiefs take note. While some IT leaders may be keen to apportion blame for e-crime on security professionals, real responsibility will always rest with the boss.

What do you think? Read Mark Samuels’ blog at: http://knowledge.computing.co.uk