Skip to content ↓ | Skip to navigation ↓

The nation is in the midst of a torrent of major data breaches. The most recent breaches include the Ashley Madison breach, the Office of Personnel Management breach, and the theft of millions of dollars from small- to mid-size businesses. In addition to the financial impacts, the breaches include the release of personal-data including social security numbers, health and financial records, and other information. It is not always clear who perpetrates the hacks, but in the case of the OPM breach, the chief information officer (CIO), Donna Seymour – among others – has been sued for negligence, privacy violations, and other issues.

Lawyer up, CIOs. Not long ago, Chief Information Officers were seemingly insulated from damages caused by security breaches. No longer. In addition to career damage, it appears CIOs are now increasingly accountable – legally – for data breaches.

According to Jacob Frenkel, Chair of the Government Investigations and Governance practices at Shulman Rogers and a former federal prosecutor, a CIO’s legal defense needs to be much stronger than simply: “the funds were not available for security upgrades.” This is especially so when security risks have already been documented by auditors and other third parties.

According to Mr. Frenkel, implementation of an Information Security Management System (ISMS) is a necessary step towards protecting oneself.

“No senior executive can credibly claim ignorance about the risks and implications of an information security breach,” explains Mr. Frenkel. “The risks are not limited to reputation damage and civil litigation; regulators and law enforcement now scrutinize breaches from all perspectives.”

An ISMS is based on ISO 27K security standards and provides a systematic and certifiable policy framework for identifying, assessing, and managing information security risks. It is the first line of defense against security breaches. As such, an ISMS:

  • is a critical tool that every business should have, and it is not as difficult to establish as you may think;
  • provides you with a holistic, complementary and non-duplicative set of security controls that encompass other standards like CSC, PCI, SOC2, and HIPAA; and
  • serves as a periodic communication vehicle to the CEO and Board regarding the status of the company’s Security controls.

You have standard processes to manage other parts of your business such as procurement processes, financial accounts processes, human capital management processes, and so on. With cyber-attacks ever present, it makes sense that you should also establish a consistent and structured approach to security. An ISMS is all the more important as you become more digitally connected to your ecosystem of suppliers, partners and customers.

Take the first step – find out what security framework you have, compare it to your industry best practice, and develop a plan to establish an ISMS. Your shareholders will be reassured, your partners will be reassured, and most important, you will have taken an important step to protect your company’s assets from security risks.


Dennis Conley Stock Photo - ColorAbout the Author: Mr. Dennis Conley is a managing partner with Transition Partners, a management consultancy headquartered in Reston, Virginia. He is a senior business and information technology executive and transformation leader with over 20 years of broad corporate and consulting experience. His extensive background and experience covers such areas as mergers and acquisitions, outsourcing, business development, technology management, organization development, security, business and strategic planning, and leadership training. Throughout his career, Mr. Conley has been providing strategic advice for merger and acquisition activities. He has directed over dozens of business process and information technology sourcing transactions valued in range from $1 million to over $250 million per year

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock

Tripwire University
  • Guest

    Just another lawyer trying a fear sells campaign. Where does it say a CIO is responsible for Cyber security/Information Protection. Maybe the General Counsel should be held liable instead?

  • I very much doubt that Ashley Madison is a precursor to flood of breaches. Sure, the breach was certainly good seasoning for broaching the subject, but that's about it. To draw anymore from it is, in my opinion, reading tea leaves.

    It goes without say, though, that yes there is (or should) be serious concern about data breaches et al. Then again, doesn't that go without saying? I don't think we should simply shrug our shoulders, sigh, and let come what may, but still, isn't this the nature of the beast, i.e., the nature of being interconnected via the web? Shouldn't we be concerned the minute we connect and not because of some half-cocked omen brought upon by a vice-enabling site getting caught with its pants down?