Firewall Wizards mailing list archives
RE: InfoSec Consultant Liability Question
From: "Pearson, Arran" <Pears_A () admiral com au>
Date: Tue, 2 Nov 1999 12:16:41 +1100
Although the question of liability is not as silly as it first sounds. We all agree that the client must choose how much to invest in security so as to appropriately mitigate his / her risk but a way of mitigating risk could be insurance. I have been involved in a number of assignments where what the client (usually banking types) wants to know what is my potential loss, not risk but impact and they then decide to either mitigate, insure or ignore depending on how significant a loss we are talking about. For instance, a bank contracts a third party to build a payment gateway, one of the important questions for them to address is the level of professional indemnity to seek from the group contracted to build the gateway. i.e. if your software does not work properly or one of your developers deliberately inserts fraudulent or malicious code how much can we expect from you. This is a dollar figure that the bank (or the developer) must insure against (typically based on how much $$$ damage can be done). This has flow on effects for brand etc etc etc which cannot be insured against (could be measured in terms of percentage of turnover which is for banks massive) and at this point the client must invest in countermeasures. Unfortunately security is all about money and if may be cheaper & more cost effective to insure against loss than properly mitigate risk.
-----Original Message----- From: Marcus J. Ranum [mailto:mjr () nfr net] Sent: Tuesday, 2 November 1999 1:29 To: Joe Dauncey; Frank Pawlak; firewall-wizards () nfr net Subject: Re: InfoSec Consultant Liability QuestionYou shouldn't focus your efforts on insurance, but onstressing to yourclients the risk element of security. How much money do theywant to spendon lowering the risk ?I agree. The first thing in _any_ consulting engagement is setting the customer's expectations correctly. If you think the customers' expectations are unrealistic then you'd better expect trouble, walk away from the project, or hope you get lucky. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: InfoSec Consultant Liability Question Joe Dauncey (Nov 01)
- Re: InfoSec Consultant Liability Question Marcus J. Ranum (Nov 01)
- <Possible follow-ups>
- RE: InfoSec Consultant Liability Question Pearson, Arran (Nov 02)