IT Execs on Firing Line Over Security Breaches

The cost of data breaches may be getting a lot higher for IT professionals who are deemed to be responsible for failing to secure corporate information.

For example, Maureen Govern, AOL LLC's chief technology officer, abruptly resigned last week in the aftermath of a disclosure that the company had publicly released data on searches done by about 650,000 of its online subscribers. AOL also fired two workers in its research division, which was responsible for the release of the data and had been overseen by Govern.

It was the second time this month that high-level technology managers lost their jobs because of data breaches. On Aug. 3, Ohio University sacked two top IT managers for what it saw as their failure to prevent a series of breaches discovered at the Athens-based school in the spring.

In addition, university CIO William Sams announced in July that he will resign once someone is found to replace him, saying that "a new energy level and skill set" is needed in the school's IT organization. Sams is still on the job, though, and he wrote the termination letters sent to the two fired managers.

IT managers should expect firings and other harsh disciplinary actions to become more common as organizations face increasing public pressure to address data breaches that they suffer, said Robert Scott, managing partner at Dallas-based law firm Scott & Scott LLP.

"In order for companies to have a credible position in the marketplace, they're going to have to explain in a public way what they have done to address the issue," Scott said. "The risks that companies face from a liability and a reputation perspective are such that when breaches occur, people will not only need to be held accountable, but heads will have to roll."

Such "forced accountability" is at least partly the result of the intense media scrutiny that data breaches now receive, said Bob Hartland, director of IT, servers and networking systems at Baylor University in Waco, Texas. The attention has heightened public concerns and "made a lot of people nervous," he said.

Tim O'Pry, CTO at The Henssler Financial Group in Kennesaw, Ga., said that accountability is necessary and that it's reasonable to expect that people will lose their jobs if their negligence causes or contributes to a security breach.

The problem is that many times, the workers who are held responsible for breaches are only following what until then had been accepted practices within their companies, O'Pry said. And they may not have had the responsibility or authority to change the practices, he noted.

PAYING THE PRICE
AOL

WHAT HAPPENED: The company's research division bypassed required privacy reviews and posted the details of Internet searches done by more than 650,000 subscribers.

FALLOUT: AOL CTO Maureen Govern resigned last week and was replaced by her predecessor, and a researcher and a manager in the research division were fired.OHIO UNIVERSITY

WHAT HAPPENED: A series of security breaches was discovered on the school's network in April and May. One of them exposed confidential information on 137,000 people.

FALLOUT: CIO William Sams said he planned to resign, then he fired the director of communication network services and the manager of Internet and systems.

But as companies face increasing pressure to "do something" in the wake of a breach, the fallout often means demotions, firings or other personnel actions, said O'Pry. That approach is part of a wider tendency by corporate officials to deal with data security issues on a reactive basis, he added.

"This knee-jerk, after-the-fact mentality is pervasive with many aspects of security," O'Pry said.

"Somebody has to take the chop for [breaches]," said Lloyd Hession, chief security officer at BT Radianz, a New York-based company that offers telecommunications services to the financial industry. "The real question, though, is whether it's the right guys' heads that are rolling."

Forging closer ties with IT audit teams is a key to survival in the new environment, Hession advised. "If you think you have an issue, go to Audit and tell them about it," he said. If the audit group concurs that a security problem exists, it should be easier to get the resources needed to fix it, Hession added.

And if the auditors agree that there's an issue "and nobody does anything about it, you probably don't need to be falling on your sword" if a data breach does occur, he said.

Companywide outreach and communication also are critical, according to Scott.

Managers who are responsible for IT security "need to do a better job of articulating a business case [that] suggests that ignoring data security and shuffling it to the bottom of the priority list is a recipe for disaster," he said.

In addition to the incidents at AOL and Ohio University, the massive security breach disclosed by the U.S. Department of Veterans Affairs in May resulted in a shake-up that included the resignation of the agency's chief information security officer. But the CISO's departure is thought to have been driven by his frustration over organizational issues within the VA, which traditionally has split most IT and security responsibilities among its three main operating divisions.

7 questions to ask your EMM provider about GDPR compliance
  
Shop Tech Products at Amazon