The cost of data breaches may be getting a lot higher for IT professionals who are deemed to be responsible for failing to properly secure corporate information.
For example, AOL LLC's chief technology officer abruptly resigned this week in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. AOL also fired two workers in its research division, which was responsible for the data release and had been overseen by now-former CTO Maureen Govern.
It was the second time this month that high-level technology managers lost their jobs because of data breaches. On Aug. 3, Ohio University announced that it had sacked two top IT managers for what it saw as their failure to prevent a series of breaches that were discovered at the Athens-based school during the spring.
In addition, university CIO William Sams announced in July that he would resign once someone is found to replace him, saying it had "become clear to me that a new energy level and skill set is going to be required in order to allow our IT organization to realize its potential." Sams is still on the job, though, and he wrote the termination letters to the two fired managers.
IT managers should expect firings and other harsh disciplinary actions to become more common as organizations face increasing public pressure to address data breaches that they suffer, said Robert Scott, managing partner at Dallas-based law firm Scott & Scott LLP.
"In order for companies to have a credible position in the marketplace, they're going to have to explain in a public way what they have done to address the issue," Scott said. "The risks that companies face from a liability and a reputation perspective are such that when breaches occur, people will not only need to be held accountable, but heads will have to roll."
Such "forced accountability" is at least partly the result of the intense media scrutiny that data breaches now receive, said Bob Hartland, director of IT, servers and networking systems at Baylor University in Waco, Texas. The attention has heightened public concerns and "made a lot of people nervous," he said.
Tim O'Pry, CTO at The Henssler Financial Group in Kennesaw, Ga., said accountability is necessary, and it's reasonable to expect that people will lose their jobs where negligence has occurred.
The problem is that many times, the workers responsible for a security breach are only following what until then had been accepted practices within their companies, O'Pry said. And they may not have had the responsibility or authority to change the practices, he noted.
As companies face pressure to "do something," the fallout often means demotions, firings or other personnel actions, said O'Pry. That approach is part of a wider tendency by corporate officials to deal with data security issues on a reactive basis, he added.
"This knee-jerk, after-the-fact mentality is pervasive with many aspects of security," O'Pry said.
"Somebody has to take 'the chop' for [breaches]," said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry. "The real question, though, is whether it's the right guys' heads that are rolling."
Forging closer ties with IT audit teams is a key to survival in the new environment, Hession advised. "If you think you have an issue, go to audit and tell them about it," he said. If the audit group concurs that a security problem exists, it should be easier to get the resources needed to fix it, Hession added. And if the auditors agree that there's an issue "and nobody does anything about it, you probably don't need to be falling on your sword" if a data breach does occur, he said.
Companywide outreach and communication also are key, according to Scott. Managers who are responsible for IT security "need to do a better job of articulating a business case [that] suggests that ignoring data security and shuffling it to the bottom of the priority list is a recipe for disaster," he said.
In addition to the incidents at AOL and Ohio University, the massive security breach disclosed by the U.S. Department of Veterans Affairs in May resulted in a wide-ranging shake-up that included the resignation of the agency's chief information security officer. But the CISO's departure is thought to have been driven by his frustration over organizational issues within the VA, which traditionally has split most IT and security responsibilities among its three main operating divisions.