Fwd: Why suing auditors won't solve the data breach epidemic

From the folks at Attrition and the DataLossDB.

---------- Forwarded message ----------
From: security curmudgeon <jericho@xxxxxxxxxxxxx>
Date: Jun 4, 2009 2:23 PM
Subject: Why suing auditors won't solve the data breach epidemic
To: dataloss-discuss@xxxxxxxxxxxxxx, dataloss@xxxxxxxxxxxxxx

or http://preview.tinyurl.com/pahfub

Why suing auditors won't solve the data breach epidemic
Something's got to be done, but this isn't necessarily it.
By Angela Gunn | Published June 4, 2009, 10:26 AM

The life of a security auditor has its high points, of course -- travel,
getting paid to break stuff, and more travel -- but there's a lot about
that job that doesn't recommend it. You're going into someone else's place
of business and trying to figure out what they're doing wrong, so you can
write a big report that goes to their bosses? I don't care how personable
you are, this isn't on the Dale Carnegie list of How To Win Friends.

Nor, in a disturbing number of situations, is it on the list of ways to
Influence People. Take a pack of security auditors out for a beer
sometime. (You will not have to ask twice, and if you get two beers in
them they'll tell you about that mid-sized city whose network is
end-to-end pwned right now and that international airport that has an
ongoing problem with stolen IDs -- no names, of course, but plenty of
other detail. After that, you'll want another beer just for yourself.)
When they're done scaring you, they'll start trading tales of clients who
simply refused to accept a bad audit.

No one likes to be told that his IT operation has weaknesses, let alone
critical-stop problems. Some companies will retain a security firm and,
when bad results start coming back, terminate the contract and send
everyone home. Some companies will hire a crew and, when they get there,
manage to be so disorganized and cranky that the auditors spend half their
time attempting to simply get started. And some, presented with a report
saying that their company isn't security-compliant, will simply ask that
the report be changed.

Dataloss Mailing List (dataloss@xxxxxxxxxxxxxx)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.

This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!


Relevant Pages

  • Re: DSS (Passing an audit is NOT compliance!)
    ... If the Payment Card Industry would better define testing quality requirements for people that need to be PCI compliant then the "consumers" would be better armed to choose a quality service provider. ... It is important to remember that the customers are not always technical wizards, let alone security experts. ... Most auditors are not experienced enough to know when they are being BS'd. ... A validated firewall is one that is tested. ...
  • RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scan ners
    ... click with the generated canned reports. ... sys admins and IT folks being audited. ... use IT folks have been allotted by the financial auditors. ... SAIC Enterprise Security Sulutions ...
  • Fwd: Why suing auditors wont solve the data breach epidemic
    ... Why suing auditors won't solve the data breach epidemic ... The life of a security auditor has its high points, of course -- travel, ... you'll want another beer just for yourself.) ...
  • Its Not Safe...
    ... Security network companies need to satisfy the U.S. Government ... They just don't have a guy or two looking a bug over ... The auditors were furious. ...