I recently commented on a LinkedIn discussion regarding PCI compliance vs. security. One of the commentators on the article expressed the following opinion:
As for management, it is not their job to understand this, but the job of the administrator to put it in a way they can understand.
This prompted a response from me, as I disagree with the old-school mentality that management should use administrators as a covering for lack of knowledge in security and compliance matters.
Especially since the advent of compliance programs such as SOX, it has become the job of executive management to make sure their organizations are secure and compliant, inside and out. This includes having an understanding of requirements such as PCI and related security concerns. They should be spearheading the activities surrounding security and compliance from the top (assigning the responsibility to one C-level person is usually the way this is handled), then looking to subject matter experts further down the chain to assist them with the details, rather than waiting for administrators to explain it to them. Knowing the differences and similarities between compliance and security is something they can no longer afford to pass off to administrators.
Unfortunately, the majority of today’s executive management folks still don’t understand this responsibility and the related liabilities. Compliance and security, much like customer service efforts, are often looked upon as cost centric projects with very little ROI. It’s often not until a threatening letter from a card association, bank, or legal entity comes across their desk that the message hits home. In such incidents, public patience for blaming lack of appropriate security/compliance measures on folks lower down the ladder is pretty much gone, these days. It’s the executives (and all stake holders, in the case of public companies) who have the liability burden, and it’s the executives who should be mature enough to see the complete vision of their corporation. It’s their job not only to bring in the money but to protect it when it gets there.
I’ve seen some improvement in current MBA and related programs, where security and compliance are being driven home more for tomorrow’s aspiring executives. Hopefully it’s a trend that will improve management oversight into the future.