Fwd: Why suing auditors won't solve the data breach epidemic

[Jeffrey Walton <noloader () gmail com>]

> From the folks at Attrition and the DataLossDB.

---------- Forwarded message ----------
From: security curmudgeon <jericho () attrition org>
Date: Jun 4, 2009 2:23 PM
Subject: Why suing auditors won't solve the data breach epidemic
To: dataloss-discuss () datalossdb org, dataloss () datalossdb org

 
http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-data-breach-epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_content=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws
 or http://preview.tinyurl.com/pahfub

 Why suing auditors won't solve the data breach epidemic
 Something's got to be done, but this isn't necessarily it.
 By Angela Gunn | Published June 4, 2009, 10:26 AM

 The life of a security auditor has its high points, of course -- travel,
 getting paid to break stuff, and more travel -- but there's a lot about
 that job that doesn't recommend it. You're going into someone else's place
 of business and trying to figure out what they're doing wrong, so you can
 write a big report that goes to their bosses? I don't care how personable
 you are, this isn't on the Dale Carnegie list of How To Win Friends.

 Nor, in a disturbing number of situations, is it on the list of ways to
 Influence People. Take a pack of security auditors out for a beer
 sometime. (You will not have to ask twice, and if you get two beers in
 them they'll tell you about that mid-sized city whose network is
 end-to-end pwned right now and that international airport that has an
 ongoing problem with stolen IDs -- no names, of course, but plenty of
 other detail. After that, you'll want another beer just for yourself.)
 When they're done scaring you, they'll start trading tales of clients who
 simply refused to accept a bad audit.

 No one likes to be told that his IT operation has weaknesses, let alone
 critical-stop problems. Some companies will retain a security firm and,
 when bad results start coming back, terminate the contract and send
 everyone home. Some companies will hire a crew and, when they get there,
 manage to be so disorganized and cranky that the auditors spend half their
 time attempting to simply get started. And some, presented with a report
 saying that their company isn't security-compliant, will simply ask that
 the report be changed.

 [..]
 _______________________________________________
 Dataloss Mailing List (dataloss () datalossdb org)

 Get business, compliance, IT and security staff on the same page with
 CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
 from Four Critical Perspectives. The eBook begins with considerations
 important to executives and business leaders.
 http://www.credant.com/campaigns/ebook-chpt-one-web.php

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------