Infosecurity will this week host a mock courtroom trial to demonstrate that the boardroom has ultimate responsibility for information security breaches.
The trial will be based on a fictionalised account of the real theft of thousands of credit card account details. In the dock will be the chief executive, the chief information officer, the chief information security officer and other suspects.
Paul Williams, former president of the Information Systems Audit and Control Association, will defend the CIO's role. "Ultimate responsibility for information security rests with the board and the chief executive, " he said. "This cannot be delegated. It is up to them to set the policies and to monitor their implementation."
Williams said security was more than the "box-ticking" exercises demanded by regulations such as Sarbanes-Oxley and PCI DSS. "I am not convinced more regulation helps," he said. "Jail means that all else has failed."
He said regulations such as PCI DSS were the application of common sense. "The basic principles are simply good housekeeping for anyone who processes credit card data," he said. "Of course you should encrypt customer data, and use firewalls to stop attacks."
Williams said regulations had sharpened boards' focus on IT security, but many were still ignorant of all that it entails.