I think the most disturbing aspect of ChoicePoint is that the leaders involved consistently said they were preserving national security and upholding a new standard in personal privacy.
I mean you have to note that their CISO, and ex-Officer of the NSA, was Georgia’s Information Security Executive Officer of the Year in 2004.
Such a position should imply at least due diligence with regard to data integrity and confidentiality. Instead, we get indignant and self-righteous comments from the CEO, CFO and this man as he tries to completely deflect the issue. For example:
"I was at RSA among other CISOs when the media frenzy around this kicked in. I would never have thought the media would spin it as atrociously as they have. None other than Howard Schmidt came up to me and told me he felt badly."
Poor poor CISO. Clearly you are a victim of a terrible situation that you have absolutely no control over. No responsibility on your part and no public apology or statement on changes necessary. Nope, none. Who would dare say that preventing fraudulent access to data would be your concern?
Somehow, I have a hard time believing that Baich is still a presenter at conferences, claiming to be an authority on "corporate security":
"10AM. Security as an Integral Component of Corporate Strategy. Security planning begins at the beginning--as an integral part of corporate strategy. This presentation shows how one company incorporated security into its strategic planning. Speaker: Rich Baich"
I can hear him now..."thank you both for attending. If either of you are with the media, please raise your hand so security can escort you from the building. I just want to remind you that I firmly believe corporate security is not about stopping someone from selling personal identity information to criminals. In other words, I am here to say that if money is exchanged, then information flow can not be classified as a breach or "hack". In fact, my CEO calls that good business sense -- the more money exchanged for access to your most sensitive information the more sucessful you will be as a CISO! And what a great career it can be. Just ask my good friend Howard who is presenting down the hall on why regulation (to protect public interests such as privacy and freedom) is bad for business..."
Think I'm being too harsh? Consider his prophecy for ChoicePoint data in early 2004:
"'The last thing you want to do when securing your data center is shut out revenue-generating partners or customers,' says Rich Baich, CIO at Choicepoint"
Somehow I doubt the media was misquoting him. Perhaps this was the article the criminals read and said to themselves, "now here is a CIO/CISO we can work with." Yes, the LAST thing you would want to do, if you are in charge of corporate security at ChoicePoint, is interfere with revenue.
Derek Smith, Baich and others who boasted of their security acumen should be held directly responsible, or there will just be many more excutives just like them out to make huge profits with willful disregard for public welfare and/or safety. It's a common sense situation that other industries have had to face and deal with properly.
I've said it before, and I'll say it again. Enron was full of "entrepreneurial brilliance" until we realized they were cooking the books. ChoicePoint's "entrepreneurial brilliance" was also based upon a web of lies. How ironic that not only was Smith making money hand over fist with his ruse and "beat the system" style of leadership, but he also published books about protecting against identity theft as if to thumb his nose at the public.