Sunday, April 13, 2008

Jail Time for CEOs?

According to this article from Computer World,
[a] growing number of security pros believe that the way to stop data breaches from happening is simple as it is stark -- send the CEOs or board members deemed responsible to jail.

To me this seems like a terrible idea. CEOs and corporate board members are not expected to be intimately involved with their company's IT. Indeed, in a well functioning company, a CEO will be aware of the company at a much higher level, and so won't know the facts "on the ground" which lead to a data security incident. Imagine how that would change if CEOs went to prison for data breaches. Instead of being generalists, they'd become micro-managers - and the companies they're responsible for would suffer as a result.
Obviously, my thought is that CEOs should not be sent to prison for information security breaches. Prison, at least in the context of the business world, is an extreme punishment, and it should be reserved for extreme situations such as actual fraud, or wrongdoing leading to loss of life. For the simple negligence (or even bad luck to be the victim of a determined hacker) behind most information security incidents, prison not only has the potential to create perverse incentives to micro-manage, but is also wildly disproportionate to the "wrongdoing" of the CEOs who would be put away.

No comments: