The cost of data breaches may be getting a lot higher for IT professionals who are deemed to be responsible for failing to properly secure information.
For example, AOL’s chief technology officer abruptly resigned recently in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. AOL also fired two workers in its research division, which was responsible for the data release and was overseen by now-former CTO Maureen Govern.
It was the second time last month that high-level technology managers lost their jobs because of data breaches. On August 3, Ohio University announced that it had sacked two top IT managers for what it saw as their failure to prevent a series of breaches.
In addition, the university’s CIO William Sams announced in July that he would resign once someone is found to replace him, saying it had “become clear to me that a new energy level and skill-set is going to be required in order to allow our IT organisation to realise its potential.” Sams is still on the job, though, and he wrote the termination letters to the two fired managers.
IT managers should expect firings and other disciplinary actions to become more common as organisations face increasing public pressure to address data breaches, says Robert Scott, managing partner at Dallas law firm Scott & Scott.
“In order for companies to have a credible position in the marketplace, they’re going to have to explain in a public way what they have done to address the issue,” Scott says. “The risks that companies face from a liability and a reputation perspective are such that when breaches occur, people will not only need to be held accountable, but heads will have to roll.”
Such “forced accountability” is at least partly the result of the intense media scrutiny that data breaches now receive, says Bob Hartland, director of IT, servers and networking systems at Baylor University in Texas. The attention has heightened public concerns and “made a lot of people nervous”, he says.
Tim O’Pry, CTO at The Henssler Financial Group, says accountability is necessary, and it’s reasonable to expect that people will lose their jobs when negligence has occurred.
The problem is that many times the workers responsible for a security breach were only following what until then had been accepted practice within their companies, O’Pry says. And they may not have had the responsibility or authority to change the practice, he says.
As companies face pressure to “do something”, the fallout often means demotions, firings or other personnel actions, he says. That approach is part of a wider tendency by corporate officials to deal with data security issues on a reactive basis, he adds.
“Somebody has to take ‘the chop’ for [breaches],” says Lloyd Hession, chief security officer at BT Radianz, which offers telecommunications services to the financial industry. “The real question, though, is whether it’s the right guys’ heads that are rolling.”
Forging closer ties with IT audit teams is the key to survival in the new environment, Hession says. “If you think you have an issue, go to audit and tell them about it.”
If the audit group concurs that a security problem exists, it should be easier to get the resources needed to fix it, he says. And if the auditors agree that there’s an issue “and nobody does anything about it, you probably don’t need to be falling on your sword” if a data breach does occur, he says.