As I travel around speaking, performing network assessments, and discussing security with various corporate leaders, I often hear a fairly consistent and disturbing mantra.
“If you find vulnerabilities and risks in our environment, then we will have to fix it.”
The prevailing wisdom from a security and compliance perspective seems to be. “If we don’t know about it, we are not responsible for the risk it represents”.
Let me just clear this up…
W R O N G !!!!!!!!!!
When (not if) you are breached, that excuse will fall very flat to a board of directors, shareholders, and others you are accountable to. The old adage comes to mind, “ignorance of the law is no excuse” and this holds true in information security as well.
Not only is the IT Leadership at risk, but punitive measures can reach to the very top of the organization as we learned with the Target breach:
From Forbes.com article
Target CEO Fired - Can You Be Fired If Your Company Is Hacked? – by Eric Basu
“A common perspective is that cyber security is primarily the responsibility of the IT department. If a data breach incident occurred, the senior IT executive was the only one to take the fall, and usually only if there was incompetence involved vs. simply bad luck.”
“Target’s CEO Gregg Steinhafel, a 35-year employee of the company with the last six at the helm, resigned in light of the recent holiday-season credit-card security breach that affected 40 million customers.”
Consider the similarity between a digital risk and a small area of cancer in the body. Often times, if the cancer is discovered early, it can be a fairly simple procedure to remove and mitigate. This is also true of risk in a digital environment. Failure to identify and treat either one can result in consequences that far outweigh the cost of treatment or remediation.
Imagine me telling my general practitioner that I would prefer he not check for cancer because…
“If I don’t know about it, I am not responsible for the risk it represents”.