CEOs are now responsible for data security
CEOs: Get your IT house in order

It seems that the Target disaster gets even worse.  In the wake of Target losing their 35-year veteran CEO, the message is clear to CEOs: “You are now responsible for the security of your data!”

In the past companies have simply blamed IT for not having good security practices in place.  If credit card or personal data left the company due to hackers, an IT director or even the CIO would be blamed.  Many companies would shrug their shoulders, scold their IT department, and try to handle the bad press.   It was a disturbing trend.

Now, we as consumers are mad.  We trust vendors with personal information and we trust that it will be protected.  One after another the vendors we trust inform us our personal information is gone; taken by hackers.  Some attacks didn’t even reach the high levels of the press they deserved like AOL, California DMV, Adobe, and others.

With this latest news from Target, it is clear that consumers will not take their data being lost.  Most consumers don’t even know if their personal information is being abused and how to stop it.

IT, on the other hand, has an ever-increasing challenge of securing the data.  Simple patching management practices certainly helps, but having a rock solid patching strategy along with putting in all the security measures necessary to stop data loss now becauses IT’s most critical function.  And now it’s the CEOs job to make sure that IT follows through.

Here are my recommendations for CEOs:

  • Study and read the latest news on IT security issues. No security plan is complete.  There are tradeoffs.  Know the risks and make sure you understand the implications.
  • Learn ITIL and other best practices for IT.  Work with your IT leaders to understand if they are following these practices or how to implement them in your organization.
  • Research and understand the compliance measures for your industry (PCI, HIPAA, FISMA, and others).  Work with IT to create compliance dashboards and reports and review them regularly.
  • On the topic of reports, make IT prove they are compliant.  It should always working to improve security throughout the organization.  Security is a moving window and you can be left behind quickly.
  • Talk with your employees.  Make sure they understand they are the weakest link in your security efforts and help them understand that everyone in the company is involved.  Work with HR to enforce consequences for violators.
  • Make computer security part of the responsibilities for your senior staff, regardless of their position.
  • Finally, your organization will be compromised.  Make sure you have a response plan in place.