Haydn Rees

London

Technical Analyst

So long as, in the event of things going wrong the appropriate people go to prison, its fine.

The poor geek who tries to make an organisation take information security seriously should not be the one to stir the porridge.

It must be someone on the board (if they don't nominate a data security director/advocate, it must be all of them).

Make "Data Security Director" a position with statutory authority, responsibility, and power - requiring a little book learning and certification - to take executive action to make the organisation take security seriously, namely;

1. The use to which data is put in an organisation.

2. The downstream use (in other organisations) to which any data is put.

Audit trails. A named answerable published person who will twist in the wind if things go wrong.

Power to balance the authority and responsibility.

An assumption of culpability, which can only be mitigated by a log of the auditable measures taken to QA security risk, e.g. external Audit, and external Penetration Testing consultancy with a watching brief.