I vaguely remember that Investment Bank I worked for many many years ago had to appoint a CIO as head of Japan IT. We had a global CIO, and a regional Asia Pacific CIO but the regulators required it of us. From memory, one of the main reasons being that they needed to have someone to put into gaol (or jail for the US readers) in the event of a big stuff up in IT systems and processes. (ie; something like the TJX problem, traders doing dodgy stuff or bad things in general being allowed to happen as a result of poor practices). Now the gaol bit would probably have been an extreme, but we certainly knew it could be possible.

Accountability! It counts for a lot!

Japan was not alone. The MAS in Singapore were certainly on the case and other countries in the region weren’t far behind. My role at the time was regional head of IT Security so I had quite a bit to do with the regulators.

Were our IT Security and Risk Management practices perfect as a result of this regulatory pressure? No! But relative to other organisations I had worked for in other sectors and other countries, they were head and shoulders above them!

Coming back to the Australian business environment and in particular the banking sector around 2001 was a culture shock. Bugger all regulatory care, little to nothing in terms of pressure on organisations to adhere to best (not even industry good) practices, and zip in terms of overall accountability outside of the standard lip service. Have things changed here since 2001? Not at all. In fact the PCI DSS is about the only thing of substance that I have seen.
(As an aside, local regulator was happy to pass local finance sector business we know of recently if they could produce an updated standard – 7799 will do and you’re set!)

The TJX saga fallout continues as reported in searchsecurity. This story is well worth a read as it highlights the failure of organisations to adhere to even basic security principles and controls. As I have noted here many times, this is more often the rule rather than the exception. Just because you’re not hearing about more TJXs doesn’t mean other organisations are doing better. It’s generally the case that:

1. The organisation’s security is about to be breached because of horrible security.
2. The organisation’s security has been breached and they never knew about it.
3. The organisation’s security has been breached and continues to be.

We know this because we see it everyday.

Because there are no disclosure laws here, you won’t hear about it in most cases. If we demonstrate to an organisation that more than likely points (2) and (3) have happened, unless we investigate further, it can’t be proven, (as mentioned previously that path is rarely followed).

CEOs need to be asking what their CIOs (or whoever manages IT Security) have been doing in regards IT Security and have them demonstrate how and why their approach gets the tick for industry good-best practice. If the CIO cannot do that and justify why, and/or passes the buck to a lower manager, or pulls the old “It hasn’t been my responsibility” card, that CIO should not be or never have been a CIO. I have seen so many that fit into this category. As an old IT Director (pre-CIO days), I can’t fathom how some CIOs are in the positions they are in.

The TJX problems may start to raise awareness now to levels other incidents in the past have threatened too but never delivered. I’d love to be a fly on the wall as cornered CIOs start the spin.