Now I'll start this post with the obligatory IANAL, but there's a story over at Security pipeline, which seems to be saying that Security Managers Could Face Court Penalties for poor security or for making lists of top measures that companies should follow and then not implementing them all...
I've got to say that the examples sound a bit over dramatised to me, but it's an interesting theory from the point of view of convincing management of the importance of being seen to be proactive in the field of InfoSec...
Posted by rorym at June 22, 2004 7:50 PM | TrackBackMaybe it depends on how the role of the security manager is perceived in the organisation.
- If it is the one of decision support/preparation for the CIO and the minding the wheels of security-related things through security management (I like ITIL there!), I'd assume that if someone ends up in court it ought to be the higher ranks..
Stefan
Posted by: Stefan Keller at June 22, 2004 10:56 PMMaybe it depends on how the role of the security manager is perceived in the organisation.
- If it is the one of decision support/preparation for the CIO and the minding the wheels of security-related things through security management (I like ITIL there!), I'd assume that if someone ends up in court it ought to be the higher ranks..
Stefan
Posted by: Stefan Keller at June 22, 2004 10:57 PMYep, I'd agree that unless the security officer has authority/responsibility for all security matters then I'd expect to see a higher up person take the fall in court.
What I'll be suprised to see is corporate officers turning up in court at all for poor Information security. I mean if you look at all the hacks that have occured, yet I've never seen a company sued for the breaches yet.....
Posted by: Rory.Blog at June 23, 2004 9:39 PM