Security Basics mailing list archives
Fwd: Why suing auditors won't solve the data breach epidemic
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 20 Jun 2009 02:44:29 -0400
From the folks at Attrition and the DataLossDB.
---------- Forwarded message ---------- From: security curmudgeon <jericho () attrition org> Date: Jun 4, 2009 2:23 PM Subject: Why suing auditors won't solve the data breach epidemic To: dataloss-discuss () datalossdb org, dataloss () datalossdb org http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-data-breach-epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_content=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws or http://preview.tinyurl.com/pahfub Why suing auditors won't solve the data breach epidemic Something's got to be done, but this isn't necessarily it. By Angela Gunn | Published June 4, 2009, 10:26 AM The life of a security auditor has its high points, of course -- travel, getting paid to break stuff, and more travel -- but there's a lot about that job that doesn't recommend it. You're going into someone else's place of business and trying to figure out what they're doing wrong, so you can write a big report that goes to their bosses? I don't care how personable you are, this isn't on the Dale Carnegie list of How To Win Friends. Nor, in a disturbing number of situations, is it on the list of ways to Influence People. Take a pack of security auditors out for a beer sometime. (You will not have to ask twice, and if you get two beers in them they'll tell you about that mid-sized city whose network is end-to-end pwned right now and that international airport that has an ongoing problem with stolen IDs -- no names, of course, but plenty of other detail. After that, you'll want another beer just for yourself.) When they're done scaring you, they'll start trading tales of clients who simply refused to accept a bad audit. No one likes to be told that his IT operation has weaknesses, let alone critical-stop problems. Some companies will retain a security firm and, when bad results start coming back, terminate the contract and send everyone home. Some companies will hire a crew and, when they get there, manage to be so disorganized and cranky that the auditors spend half their time attempting to simply get started. And some, presented with a report saying that their company isn't security-compliant, will simply ask that the report be changed. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Fwd: Why suing auditors won't solve the data breach epidemic Jeffrey Walton (Jun 22)
- Re: Fwd: Why suing auditors won't solve the data breach epidemic Barry Fawthrop (Jun 22)
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 23)
- Message not available
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 24)
- Re: Fwd: Why suing auditors won't solve the data breach epidemic Jeffrey Walton (Jun 24)
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 23)
- Re: Fwd: Why suing auditors won't solve the data breach epidemic Barry Fawthrop (Jun 22)