Fwd: Why suing auditors won't solve the data breach epidemic
- From: Jeffrey Walton <noloader@xxxxxxxxx>
- Date: Sat, 20 Jun 2009 02:44:29 -0400
From the folks at Attrition and the DataLossDB.
---------- Forwarded message ----------
From: security curmudgeon <jericho@xxxxxxxxxxxxx>
Date: Jun 4, 2009 2:23 PM
Subject: Why suing auditors won't solve the data breach epidemic
To: dataloss-discuss@xxxxxxxxxxxxxx, dataloss@xxxxxxxxxxxxxx
http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-data-breach-epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_content=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws
or http://preview.tinyurl.com/pahfub
Why suing auditors won't solve the data breach epidemic
Something's got to be done, but this isn't necessarily it.
By Angela Gunn | Published June 4, 2009, 10:26 AM
The life of a security auditor has its high points, of course -- travel,
getting paid to break stuff, and more travel -- but there's a lot about
that job that doesn't recommend it. You're going into someone else's place
of business and trying to figure out what they're doing wrong, so you can
write a big report that goes to their bosses? I don't care how personable
you are, this isn't on the Dale Carnegie list of How To Win Friends.
Nor, in a disturbing number of situations, is it on the list of ways to
Influence People. Take a pack of security auditors out for a beer
sometime. (You will not have to ask twice, and if you get two beers in
them they'll tell you about that mid-sized city whose network is
end-to-end pwned right now and that international airport that has an
ongoing problem with stolen IDs -- no names, of course, but plenty of
other detail. After that, you'll want another beer just for yourself.)
When they're done scaring you, they'll start trading tales of clients who
simply refused to accept a bad audit.
No one likes to be told that his IT operation has weaknesses, let alone
critical-stop problems. Some companies will retain a security firm and,
when bad results start coming back, terminate the contract and send
everyone home. Some companies will hire a crew and, when they get there,
manage to be so disorganized and cranky that the auditors spend half their
time attempting to simply get started. And some, presented with a report
saying that their company isn't security-compliant, will simply ask that
the report be changed.
[..]
_______________________________________________
Dataloss Mailing List (dataloss@xxxxxxxxxxxxxx)
Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
- Follow-Ups:
- Re: Fwd: Why suing auditors won't solve the data breach epidemic
- From: Barry Fawthrop
- Re: Fwd: Why suing auditors won't solve the data breach epidemic
- Prev by Date: RE: Preventing tunnels through HTTPS proxies
- Next by Date: Re: Heartland Gets Religion on Security
- Previous by thread: Regarding Private key
- Next by thread: Re: Fwd: Why suing auditors won't solve the data breach epidemic
- Index(es):
Relevant Pages
|
