Corporate governance goals impossible
There’s a fascinating article in the Register about the impact of new rules:
In some cases, the law has made IT managers legally responsible for adherence to corporate governance rules. Colao says that this may not necessarily be a good thing. “CIOs are now relying on convoluted processes rather than using sound business judgement based on years of experience. A process is easier to defend in court than personal judgement. This means that in many cases unnecessarily cautious decisions are being taken because the CIO is focusing on their own personal liability, rather than what is best for the business,” he said.
[…]
Tim Pickard, strategic marketing director at RSA Security EMEA, said: “The nature of implementation of EU directives in member states means that it is almost impossible for today’s global CIO to be fully compliant and is therefore likely to be breaking the law in at least one member state.”
The first part of this is analyzed by economists as the principal-agent problem: You hire someone to sell your car, how do you know they got you the best price, rather than selling it to a friend? That new laws create new problems is not suprising, but its nice to have it pointed out, in light of people calling for infosec liability. What new problems would a reliability scheme bring? (Gregory Haase has some good thoughts.)
But my thought on the liability question boils down to: lets assume that you do pass a law assigning more liabilities. What would you do differently tomorrow? I’ m not sure that we know enough about how to produce more secure software that we could really change the number of vulns that ship. We could probably affect some design errors. Before we pass a law, I’d like to know that we have enough security methods, and experts trained in them, to make better software. The last set of encouragements, in the rainbow series, cost a lot to implement. But they didn’t result in more secure software. “CIOs are now relying on convoluted processes rather than using sound business judgement based on years of experience. A process is easier to defend in court than personal judgement.” Why would liability rules for commercial software security be any different?