Corporate Security Accountability
In order to ensure consumer information is well protected, corporate security accountability must be established at the highest levels. Companies in some industries where consumer personal information is needed to execute business transactions such as in the banking and healthcare industries must be held accountable for protecting the information they collect from their customers. This accountability not only should apply to protecting the information they have already collected but also to the amount of information they collect for business reasons. Sometimes, companies unnecessarily collect more information than they need from their customers, placing both the company and consumers at risk.
Corporate security accountability means taking information protection seriously and ensuring all the required controls are in place to protect consumer personal information. Once the controls are in place, they must not be overridden, especially by executive management, unless a very good justification exists. Corporate accountability sometimes is imposed by Federal and State laws, however, I think consumer information protection should be part of reasonable business practices to ensure long term consumer trust, loyalty and business relationships.
Corporate security accountability includes many components such as designating a competent Information Security Officer also known as CSO, ISO or CISO. The ISO is then responsible for implementing and maintaining an information security program that includes policies and standards which should be followed by all employees without exception including the executive management members.
I have witnessed many times corporate executives demanding policy override and ask for passwords that never expire or more computer inactivity time before the computer is locked. This is an indication of either senior management doesn’t understand the risks of their actions to the companies and their customers they are charged to protect or they absolutely don’t care about information security and only think about making their life a little easier while at work. Typically, executives have access to more corporate resources whether it’s to the computer systems or locations and buildings. As such, they should be subject to more security and not less when compared to the general population of the company.
In most regulated industries where consumer information is routinely collected as part of the business operations, an Information Security Officer is hired and charged with the protection of the company’s information assets whether it’s business information or consumer personal information. If the ISO is not supported with adequate budgets and authority by the companies’ executive management, the ISO will not be effective in executing his or her job responsibilities.
During major and publicized corporate security breaches, the finger is almost always pointed to the ISO even if he or she was never given the power to protect the confidential information. You may then wonder why appoint an ISO and never provide the right resources. Well, because sometimes it’s the laws which companies must comply with by placing an ISO on their organizational charts to give the appearance of accountability and when a security breach gets out of hand and can’t be swept under the rug, the ISO gets fired to portray an image of corporate responsibility and leadership to the outsiders. However, these tricks don’t work any more and consumers are more than ever aware of their rights and business obligations thanks in part to the awareness that websites like this one provide.
Please visit the legal section of this site to learn about corporate security accountability laws.