In Depth

Security Accountability: The Fault Line

Welcome to a world where projects fail, computers crash and secrets escape...and you don't have to be the fall guy.

By Tom Wailgum

Page 2

In the end, however, taking the riskor notalways boils down to one decision, made by one person, who signs his name on the dotted line and says, "Let's go for it."

But that person should never be you.

This is the new accountability, and it's time you got on board.n n nEduardo Dardet recalls the story with ease. In fact, most of the specifics come back to him with little prodding. He was home on a Friday eveningon the last day of Maywhen the phone rang. It was a call from work he hadn't been expecting.

Dardet's companyJM Family Enterpriseswas on the verge of signing a multimillion-dollar outsourcing deal with a large software vendor. Involved in these after-hours discussions were a group of business heads from his company and three corporate lawyers. The vendor's representatives, with their own legal brawn, weren't agreeing to one of JM Family's established security clauses, which in turn prompted the vice president of JM Family's project management office to call Dardet, the director of information security. He wanted to ask him one simple question: Should this be a deal-breaker?

For Dardet and JM Family, the 13th-largest privately held company in the United States and a leader in the automotive distribution industry, the pressure to enlist the vendor's services was rising. "It was very tense," Dardet recalls. At midnight, the vendor was going to close its books for the previous quarter, and it wanted to add this lucrative sale to its bottom line. It was also a sweet deal for JM Familythe financial incentives, anyway, made it a no-brainer. Which made Dardet's job all the harder. "This was not some nice-to-have system. This was a core system," he says, reflecting on it now, months later. "I thought, Am I really the one who is going to block this thing?"

Dardet, of course, had done his due diligence beforehand. He had followed a rigorous infosecurity approval process, working with the company's procurement department, its project management office and the company's in-house and outside lawyers to hammer out the details. To dig deeply into the risks. To figure out potential impact, develop mitigation strategies. Delve into regulatory and compliance matters. Simply put, to do what he gets paid for.

But that phase of the process had passed. So why were they calling him now?

As it happened, the deal was hanging on one infosecurity-related snag. JM Family requires two main infosecurity clauses as a standard part of its contracts. The first relates to a broad protection of confidentiality and integrity of JM Family's data. The second requires the vendor to notify JM Family of any suspected or known security breach that could in any way affect JM Family's systems. The vendor seemed to have a change of heart; it wasn't prepared to comply with the second clause.