Security Basics mailing list archives
Re: Fwd: Why suing auditors won't solve the data breach epidemic
From: Barry Fawthrop <barry () isscp com>
Date: Mon, 22 Jun 2009 11:14:47 -0400
To All, I would agree that suing them is *not* the answer, that is only going to force auditor/audit companies to raise rates and thus make auditing more expensive and thus the first thing dropped by companies in a tight economy. I would put forward the suggestion that the Auditors are paid a bonus based on the number of *VALID* findings that they put in their report. As auditors we need to start reporting the below average incidents as average, and list more valid findings. But I must stress *VALID* findings, not just insignificant or trivial. Too often we overlook items and decide not to report them when they should have. my 2c Barry Fawthrop BSc CISSP, CISA, GCIH Jeffrey Walton wrote:
From the folks at Attrition and the DataLossDB. ---------- Forwarded message ---------- From: security curmudgeon <jericho () attrition org> Date: Jun 4, 2009 2:23 PM Subject: Why suing auditors won't solve the data breach epidemic To: dataloss-discuss () datalossdb org, dataloss () datalossdb org http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-data-breach-epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_content=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws or http://preview.tinyurl.com/pahfub Why suing auditors won't solve the data breach epidemic Something's got to be done, but this isn't necessarily it. By Angela Gunn | Published June 4, 2009, 10:26 AM The life of a security auditor has its high points, of course -- travel, getting paid to break stuff, and more travel -- but there's a lot about that job that doesn't recommend it. You're going into someone else's place of business and trying to figure out what they're doing wrong, so you can write a big report that goes to their bosses? I don't care how personable you are, this isn't on the Dale Carnegie list of How To Win Friends. Nor, in a disturbing number of situations, is it on the list of ways to Influence People. Take a pack of security auditors out for a beer sometime. (You will not have to ask twice, and if you get two beers in them they'll tell you about that mid-sized city whose network is end-to-end pwned right now and that international airport that has an ongoing problem with stolen IDs -- no names, of course, but plenty of other detail. After that, you'll want another beer just for yourself.) When they're done scaring you, they'll start trading tales of clients who simply refused to accept a bad audit. No one likes to be told that his IT operation has weaknesses, let alone critical-stop problems. Some companies will retain a security firm and, when bad results start coming back, terminate the contract and send everyone home. Some companies will hire a crew and, when they get there, manage to be so disorganized and cranky that the auditors spend half their time attempting to simply get started. And some, presented with a report saying that their company isn't security-compliant, will simply ask that the report be changed. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- Fwd: Why suing auditors won't solve the data breach epidemic Jeffrey Walton (Jun 22)
- Re: Fwd: Why suing auditors won't solve the data breach epidemic Barry Fawthrop (Jun 22)
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 23)
- Message not available
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 24)
- Re: Fwd: Why suing auditors won't solve the data breach epidemic Jeffrey Walton (Jun 24)
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 23)
- Re: Fwd: Why suing auditors won't solve the data breach epidemic Barry Fawthrop (Jun 22)