Ethics: Who's Responsible for Being Responsible?

Our law, ethics and privacy columnist weighs in on taking security responsibility to the top of the corporate ladder.

By David H. Holtzman

September 04, 2002 — CSO — I have to confess to a fascination for corporate roadkill. I love reading lurid details of insider naughtiness. Between, Enron, Andersen and whatever is currently ripening under the treads of WorldCom, the past six months have kept me supplied with reading material for a long time to come. But for any director of a public company, these stories should serve as a chilling wake-up call as to how much sensitive information is sitting on corporate networks waiting to be found.

The privacy problem cuts two ways here. The same data handling sloppiness that infuriates customers and causes unfavorable publicity leaves a trail of digital spoor behind management activities that even Inspector Clousseau could follow.

Don't get me wrong, I do not advocate that you whitewash illegal activities; I'm just wondering why the heck this stuff is sitting around for someone to read. I suspect the reason is that no one with any real authority understands the kind of data his company keeps or what the exposure might be if it gets out. And the people who do understand are not empowered to do anything about it.

Every company has sensitive information; perfectly legal decisions can create havoc if discovered in a civil suit or exposed to a competitor. But, just who is responsible for being responsible?

The technical answer, of course, is that the board of directors is ultimately and legally responsible for the actions of the company. But how does the board know that the company is facing this kind of exposure from operational issues?

Someone has to tell them, and this is the most valuable function of the CSO. Unfortunately, many corporate security czars are too low on the organizational totem pole to effectively interact with the board, and oblique reporting structures often blunt and filter those messages before they reach the boardor even suppress them outright. Here's how it goes:

If the CIO runs security CIO bosses prioritize around uptime numbers and bragging rights for tight-as-a-drum networks. To them, security is binaryit is secure or it isn't. This mind-set can cause CIOs to delay reporting potential problems upward.

If the COO runs security COOs are concerned about customer issues (read: sales). They will frequently manage security activity using existing customer relationship management, or CRM, systems. Instead of protecting the company's larger goals, the focus is on closing individual trouble tickets.

If the CFO runs security CFOs frequently believe that the best way to grow a company is to cut costs. Guess what happens when CFOs get their hands on a security organization. They evaluate security budgetary issues by scrutinizing every preventative capital expenditure or head count increase.