BreachExchange mailing list archives
Why suing auditors won't solve the data breach epidemic
From: security curmudgeon <jericho () attrition org>
Date: Thu, 4 Jun 2009 18:23:52 +0000 (UTC)
http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-data-breach-epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_content=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws or http://preview.tinyurl.com/pahfub Why suing auditors won't solve the data breach epidemic Something's got to be done, but this isn't necessarily it. By Angela Gunn | Published June 4, 2009, 10:26 AM The life of a security auditor has its high points, of course -- travel, getting paid to break stuff, and more travel -- but there's a lot about that job that doesn't recommend it. You're going into someone else's place of business and trying to figure out what they're doing wrong, so you can write a big report that goes to their bosses? I don't care how personable you are, this isn't on the Dale Carnegie list of How To Win Friends. Nor, in a disturbing number of situations, is it on the list of ways to Influence People. Take a pack of security auditors out for a beer sometime. (You will not have to ask twice, and if you get two beers in them they'll tell you about that mid-sized city whose network is end-to-end pwned right now and that international airport that has an ongoing problem with stolen IDs -- no names, of course, but plenty of other detail. After that, you'll want another beer just for yourself.) When they're done scaring you, they'll start trading tales of clients who simply refused to accept a bad audit. No one likes to be told that his IT operation has weaknesses, let alone critical-stop problems. Some companies will retain a security firm and, when bad results start coming back, terminate the contract and send everyone home. Some companies will hire a crew and, when they get there, manage to be so disorganized and cranky that the auditors spend half their time attempting to simply get started. And some, presented with a report saying that their company isn't security-compliant, will simply ask that the report be changed. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Why suing auditors won't solve the data breach epidemic security curmudgeon (Jun 04)