Amidst the ongoing reports over data breaches, data theft, account takeovers, and ACH fraud, there are several interesting stories that have some educational value, for example the recent appointment of a new CISO at Sony which highlighted the issue that security is not an IT issue.

At first apparently this gent was to report to the head of IT at Sony, but this was changed, and he reports straight to the top. From a standpoint of corporate control, this is the only way to address the issue, because the assumption that security is limited to IT security is deadly, and even within IT security, security would be seriously compromised if it had to compete with any number of other issues that affect the popularity of IT in an organization far more than security. Security is not a popularity contest. IT needs to be told what it should do in security.

Among the other interesting observations of Mr. Reitlinger is the idea that online security basically isn't. The fact is that technology has moved and continues to move faster than anybody can keep up with and the greatest threat to security at all levels is to assume that it is somebody else's problem. IT in turn can be part of the solution, but they should be given direction in the context of overall internal controls, and the implementation of security policy. From a liability standpoint every organization needs a security policy, as well as uncompromising enforcement. Directors of public companies will see their liability insurance go through the roof if this is not done.