You raise a difficult issue - how you would honestly resolve it. On one hand, CSOs cannot be personally liable for every hack. On the other, they shouldn't be given a pass on everything either.
So how does one draw the lines between bad luck, reasonable security problems, everyday poor performance, civil liability, and criminal negligence?
> A random engineer could make a mistake that gets hackers a step closer
That could be prevented, to a large extent, with much tighter controls. Of course, those controls would greatly increases the cost of operations and other things.
Is it possible we're all accustomed to the wrong model, that our standard of IT security is like the standard of car safety in the early auto industry (and maybe until the 1970s) - far too lenient? Maybe we should be facing the potential fact that the normal cost of IT should include those controls and other security expenses.
(In the EU) companies are already required to tell where my personal data goes to. There is no specific fine for violations as far as I know though.
Essentially we need a price tag on personal data. Let's say 1$ for each email and password leaked to an unknown number of entities. That would be a 114M$ incentive for Uber to keep their data secure.
> There is no specific fine for violations as far as I know though.
It's a shame this happened pre-GDPR because that has steep fines - 4% of worldwide revenue - which would be north of $260M going off their 2015 numbers. And that's assuming they get off with a single fine.
GDPR is pretty much the thing that will - if properly executed - mean the end of these things.
As CEO, former engineer and customer I really hope this gets some serious traction. IMHO if you are making money from customers, it should be mandatory to follow compliance regulations and protect all data.
GDPR will come into effect in about half a year. Everyone is sitting duck about exactly how to implement things. When this gets into effect, companies will take it seriously - the fine is astronomical if you fail.
> You raise a difficult issue - how you would honestly resolve it. On one hand, CSOs cannot be personally liable for every hack. On the other, they shouldn't be given a pass on everything either
Sure they can. It is called "insurance". Sort of like malpractice. CSO wants to get paid millions of dollars? Excellent, either be personally on the hook or have an insurance company that would be willing to underwrite your method of dealing with it, be that having your own crack team of people who get to oversee everything, or relying on Jr system admins from your company or whatever else.
So how does one draw the lines between bad luck, reasonable security problems, everyday poor performance, civil liability, and criminal negligence?
> A random engineer could make a mistake that gets hackers a step closer
That could be prevented, to a large extent, with much tighter controls. Of course, those controls would greatly increases the cost of operations and other things.
Is it possible we're all accustomed to the wrong model, that our standard of IT security is like the standard of car safety in the early auto industry (and maybe until the 1970s) - far too lenient? Maybe we should be facing the potential fact that the normal cost of IT should include those controls and other security expenses.