Friday, March 21

The C-Level execs take the fall

One more thing re: the State Dept. passport breach. Notice who's in the news taking the heat for the breach – the CEO of the State department. That's exactly what we were told would happen at the Gartner GRC Summit a few weeks ago. It's the C-level executives that take the fall when a high profile breach occurs, which is one of the reasons why governance is vital to the business. And why a correctly done risk analysis should beget executive sponsorship for risk mitigation solutions.

It's really interesting to me that such a seemingly ordinary act has become such a high profile breach. By ordinary act, I mean seemingly non-malicious and only acting with approved rights and privileges. These employees were GIVEN the power to act. They didn't have to TAKE the power through theft or hacking. And that's the risk with privileged users. With them, it's not about security controls. They can simply decide to subvert policy. That's why Dave's post was so timely. You can audit every transaction.

2 comments:

Alex said...

Really, I expect that this "CEO" is taking the heat because it's a political thing involved in a presidential race.

I'm sure they exist, but I'm challenged to think of any other CEO that has been forced to resign by the board because of a security breach. TJX, DSW, SocGen... So to me, this would be an outlier rather than the norm.

Matt Flynn said...

Interesting perspective - thanks Alex. I already pointed to the recent Gartner GRC event where a number of speakers discussed this and clearly had a different opinion. They even cited specific companies who's CEOs were affected but I unfortunately don't have a recording. I wonder if someone else could weigh in?

Ultimately, I believe it's the CEO who should be responsible for managing business risk since it affects the bottom line. And information security is a byproduct of business risk. We certainly have seen if nothing else that the CEOs at TJX, Hannaford and others put their signatures on the customer apology letters. They may not lose their jobs, but they certainly spend time and effort cleaning up the mess for what is usually considered an IT issue. Sec. Rice was on TV and in the news because of the political nature of this story, but her involvement was similar to that of the TJX and Hannaford CEOs – sorry and assurance.