By Jaikumar Vijayan
August 28, 2006
The cost of data breaches may be getting a lot higher for IT
professionals who are deemed to be responsible for failing to secure
For example, Maureen Govern, AOL LLC's chief technology officer,
abruptly resigned last week in the aftermath of a disclosure that the
company had publicly released data on searches done by about 650,000 of
its online subscribers. AOL also fired two workers in its research
division, which was responsible for the release of the data and had been
overseen by Govern.
It was the second time this month that high-level technology managers
lost their jobs because of data breaches. On Aug. 3, Ohio University
sacked two top IT managers for what it saw as their failure to prevent a
series of breaches discovered at the Athens-based school in the spring.
In addition, university CIO William Sams announced in July that he will
resign once someone is found to replace him, saying that "a new energy
level and skill set" is needed in the school's IT organization. Sams is
still on the job, though, and he wrote the termination letters sent to
the two fired managers.
IT managers should expect firings and other harsh disciplinary actions
to become more common as organizations face increasing public pressure
to address data breaches that they suffer, said Robert Scott, managing
partner at Dallas-based law firm Scott & Scott LLP.
"In order for companies to have a credible position in the marketplace,
they're going to have to explain in a public way what they have done to
address the issue," Scott said. "The risks that companies face from a
liability and a reputation perspective are such that when breaches
occur, people will not only need to be held accountable, but heads will
have to roll."
Such "forced accountability" is at least partly the result of the
intense media scrutiny that data breaches now receive, said Bob
Hartland, director of IT, servers and networking systems at Baylor
University in Waco, Texas. The attention has heightened public concerns
and "made a lot of people nervous," he said.
Tim O'Pry, CTO at The Henssler Financial Group in Kennesaw, Ga., said
that accountability is necessary and that it's reasonable to expect that
people will lose their jobs if their negligence causes or contributes to
a security breach.
The problem is that many times, the workers who are held responsible for
breaches are only following what until then had been accepted practices
within their companies, O'Pry said. And they may not have had the
responsibility or authority to change the practices, he noted.
But as companies face increasing pressure to "do something" in the wake
of a breach, the fallout often means demotions, firings or other
personnel actions, said O'Pry. That approach is part of a wider tendency
by corporate officials to deal with data security issues on a reactive
basis, he added.
"This knee-jerk, after-the-fact mentality is pervasive with many aspects
of security," O'Pry said.
"Somebody has to take the chop for [breaches]," said Lloyd Hession,
chief security officer at BT Radianz, a New York-based company that
offers telecommunications services to the financial industry. "The real
question, though, is whether it's the right guys' heads that are
Forging closer ties with IT audit teams is a key to survival in the new
environment, Hession advised. "If you think you have an issue, go to
Audit and tell them about it," he said. If the audit group concurs that
a security problem exists, it should be easier to get the resources
needed to fix it, Hession added.
And if the auditors agree that there's an issue "and nobody does
anything about it, you probably don't need to be falling on your sword"
if a data breach does occur, he said.
Companywide outreach and communication also are critical, according to
Managers who are responsible for IT security "need to do a better job of
articulating a business case [that] suggests that ignoring data security
and shuffling it to the bottom of the priority list is a recipe for
disaster," he said.
In addition to the incidents at AOL and Ohio University, the massive
security breach disclosed by the U.S. Department of Veterans Affairs in
May resulted in a shake-up that included the resignation of the agency's
chief information security officer. But the CISO's departure is thought
to have been driven by his frustration over organizational issues within
the VA, which traditionally has split most IT and security
responsibilities among its three main operating divisions.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/