Thursday, July 12, 2007
Pressure on CEOs for Information Security
According to this article in ComputerWorld, the Information Commissioner in the UK is blaming CEOs for data security breaches. "How", he asks, "can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store card transactions fall into the wrong hands?" Of course, there are any number of ways that "millions of store card transactions" can fall into the wrong hands even if a business does have an effective information security policy in place (e.g., they can be stolen by an employee, such as described here). Also, how productive it would be to make CEO's responsible for information security is anyone's guess, as most CEOs aren't (and aren't expected to be) knowledgeable enough about information security to contribute effectively to the conception or implementation of an information security policy. Whether the commissioner's comments are a harbinger of regulations targeting CEOs, or whether they are simply another statement of outrage from a government official about identify theft is another open question. However, whether followed by regulation or not, there is no reason to believe that targeting CEOs will positively contribute to reducing identify theft or incidence of data security breaches.