Re: Fwd: Why suing auditors won't solve the data breach epidemic
- From: Barry Fawthrop <barry@xxxxxxxxx>
- Date: Mon, 22 Jun 2009 11:14:47 -0400
To All,
I would agree that suing them is *not* the answer, that is only going to force auditor/audit companies
to raise rates and thus make auditing more expensive and thus the first thing dropped by companies
in a tight economy.
I would put forward the suggestion that the Auditors are paid a bonus based on the number of *VALID* findings that they put in their report.
As auditors we need to start reporting the below average incidents as average, and list more valid findings.
But I must stress *VALID* findings, not just insignificant or trivial.
Too often we overlook items and decide not to report them when they should have.
my 2c
Barry Fawthrop BSc CISSP, CISA, GCIH
Jeffrey Walton wrote:
From the folks at Attrition and the DataLossDB.
---------- Forwarded message ----------
From: security curmudgeon <jericho@xxxxxxxxxxxxx>
Date: Jun 4, 2009 2:23 PM
Subject: Why suing auditors won't solve the data breach epidemic
To: dataloss-discuss@xxxxxxxxxxxxxx, dataloss@xxxxxxxxxxxxxx
http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-data-breach-epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_content=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws
or http://preview.tinyurl.com/pahfub
Why suing auditors won't solve the data breach epidemic
Something's got to be done, but this isn't necessarily it.
By Angela Gunn | Published June 4, 2009, 10:26 AM
The life of a security auditor has its high points, of course -- travel,
getting paid to break stuff, and more travel -- but there's a lot about
that job that doesn't recommend it. You're going into someone else's place
of business and trying to figure out what they're doing wrong, so you can
write a big report that goes to their bosses? I don't care how personable
you are, this isn't on the Dale Carnegie list of How To Win Friends.
Nor, in a disturbing number of situations, is it on the list of ways to
Influence People. Take a pack of security auditors out for a beer
sometime. (You will not have to ask twice, and if you get two beers in
them they'll tell you about that mid-sized city whose network is
end-to-end pwned right now and that international airport that has an
ongoing problem with stolen IDs -- no names, of course, but plenty of
other detail. After that, you'll want another beer just for yourself.)
When they're done scaring you, they'll start trading tales of clients who
simply refused to accept a bad audit.
No one likes to be told that his IT operation has weaknesses, let alone
critical-stop problems. Some companies will retain a security firm and,
when bad results start coming back, terminate the contract and send
everyone home. Some companies will hire a crew and, when they get there,
manage to be so disorganized and cranky that the auditors spend half their
time attempting to simply get started. And some, presented with a report
saying that their company isn't security-compliant, will simply ask that
the report be changed.
[..]
_______________________________________________
Dataloss Mailing List (dataloss@xxxxxxxxxxxxxx)
Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------
- Follow-Ups:
- RE: Fwd: Why suing auditors won't solve the data breach epidemic
- From: Nick Vaernhoej
- RE: Fwd: Why suing auditors won't solve the data breach epidemic
- References:
- Fwd: Why suing auditors won't solve the data breach epidemic
- From: Jeffrey Walton
- Fwd: Why suing auditors won't solve the data breach epidemic
- Prev by Date: Blocking traffic by Country to reduce spam
- Next by Date: Re: Blocking traffic by Country to reduce spam
- Previous by thread: Fwd: Why suing auditors won't solve the data breach epidemic
- Next by thread: RE: Fwd: Why suing auditors won't solve the data breach epidemic
- Index(es):
Relevant Pages
|
