BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Why suing auditors won't solve the data breach epidemic

From: security curmudgeon <jericho () attrition org>
Date: Thu, 4 Jun 2009 18:23:52 +0000 (UTC)

http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-data-breach-epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_content=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws
or http://preview.tinyurl.com/pahfub

Why suing auditors won't solve the data breach epidemic
Something's got to be done, but this isn't necessarily it.
By Angela Gunn | Published June 4, 2009, 10:26 AM

The life of a security auditor has its high points, of course -- travel, 
getting paid to break stuff, and more travel -- but there's a lot about 
that job that doesn't recommend it. You're going into someone else's place 
of business and trying to figure out what they're doing wrong, so you can 
write a big report that goes to their bosses? I don't care how personable 
you are, this isn't on the Dale Carnegie list of How To Win Friends.

Nor, in a disturbing number of situations, is it on the list of ways to 
Influence People. Take a pack of security auditors out for a beer 
sometime. (You will not have to ask twice, and if you get two beers in 
them they'll tell you about that mid-sized city whose network is 
end-to-end pwned right now and that international airport that has an 
ongoing problem with stolen IDs -- no names, of course, but plenty of 
other detail. After that, you'll want another beer just for yourself.) 
When they're done scaring you, they'll start trading tales of clients who 
simply refused to accept a bad audit.

No one likes to be told that his IT operation has weaknesses, let alone 
critical-stop problems. Some companies will retain a security firm and, 
when bad results start coming back, terminate the contract and send 
everyone home. Some companies will hire a crew and, when they get there, 
manage to be so disorganized and cranky that the auditors spend half their 
time attempting to simply get started. And some, presented with a report 
saying that their company isn't security-compliant, will simply ask that 
the report be changed.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: