laurav (12/3/2009)
I would tell my managers and IT security folks what I was doing and why, and they would look at me as though I had two heads. I view checks/balances as my safety net too.
There's something to be said about CYA. But it's not just you you're covering when you do that sort of thing. I think the problem is that corporate officials don't always realize (until you get to the stratospheric heights of management) that data loss and data theft is a monetary issue. 1s and 0s don't count for much. It's *just* information.
But if you start putting a dollar amount on the issue, it might help draw attention to your plight.
Here are the things I would start adding monetary values to: bad publicity, legal fees, paying for the customer's credit monitoring for the next X number of years, losing market share, re-training employees (or getting new ones) and the possible cost of hardware improvements (wireless credit card machines broadcasting in the clear, anyone?).
Hand them that invoice, and I guarantee they'll either think you're crazy or finally sit up and take notice.