Comments on: The Economist on Breach Disclosure http://newschoolsecurity.com/2010/03/the-economist-on-breach-disclosure/ The Blog Inspired By The Book Wed, 08 Feb 2012 09:21:02 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: LonerVamp http://newschoolsecurity.com/2010/03/the-economist-on-breach-disclosure/#comment-1088 LonerVamp Wed, 03 Mar 2010 19:53:53 +0000 http://newschoolsecurity.com/?p=1391#comment-1088 I need to grab a copy of the article, but just to add some comments... First, I will always agree that sharing information and disclosing breaches is a benefit, from a security perspective. Has this pushed companies to invest more in prevention? I'm not sure. I think plenty is spent on avoiding disclosures, reducing compliance/risk scope, and satisfying audits. Does that improve prevention or detection? Hard to say. I always wait for comparisons between IT security audits and financial audits; hell I often find myself thinking the same thing. My big problem with that, though, is similar to why I think checklist compliance is weak. Financial practices are very objective, painfully so. There are only so many ways to do things, and while it is mindboggling to non-accountants, they ultimately all do make predictable and comparable sense. IT solutions are still as much artful as they are predictable. One company's network may dramatically differ from another company, even those in direct competition to each other in the same exact space. How do you get any sort of checklist that will be effective enough to offer value across the board without incurring even more financial barriers to entry into business in a digital world? That rant dives pretty far into checklist compliance, but if anyone wants to start having public audits and comparisons like financial audits, it's a dirty and necessary topic. Then again, it's not like insurance (or financial audits to reflect business ethics/health) is an exact science... I need to grab a copy of the article, but just to add some comments…

First, I will always agree that sharing information and disclosing breaches is a benefit, from a security perspective.

Has this pushed companies to invest more in prevention? I’m not sure. I think plenty is spent on avoiding disclosures, reducing compliance/risk scope, and satisfying audits. Does that improve prevention or detection? Hard to say.

I always wait for comparisons between IT security audits and financial audits; hell I often find myself thinking the same thing. My big problem with that, though, is similar to why I think checklist compliance is weak. Financial practices are very objective, painfully so. There are only so many ways to do things, and while it is mindboggling to non-accountants, they ultimately all do make predictable and comparable sense. IT solutions are still as much artful as they are predictable. One company’s network may dramatically differ from another company, even those in direct competition to each other in the same exact space. How do you get any sort of checklist that will be effective enough to offer value across the board without incurring even more financial barriers to entry into business in a digital world?

That rant dives pretty far into checklist compliance, but if anyone wants to start having public audits and comparisons like financial audits, it’s a dirty and necessary topic. Then again, it’s not like insurance (or financial audits to reflect business ethics/health) is an exact science…

]]> By: Ben http://newschoolsecurity.com/2010/03/the-economist-on-breach-disclosure/#comment-1079 Ben Tue, 02 Mar 2010 15:26:24 +0000 http://newschoolsecurity.com/?p=1391#comment-1079 I think this is a very good thing, to be honest. Sorry to disappoint and agree with you! :) We chatted a bit about it at the ABA InfoSec Committee meeting over the weekend and even the lawyers think it's a good idea to have better breach reporting. It's almost like the world is becoming so insane that it's actually sane. :) I think this is a very good thing, to be honest. Sorry to disappoint and agree with you! :) We chatted a bit about it at the ABA InfoSec Committee meeting over the weekend and even the lawyers think it’s a good idea to have better breach reporting. It’s almost like the world is becoming so insane that it’s actually sane. :)

]]> By: James K. Adamson http://newschoolsecurity.com/2010/03/the-economist-on-breach-disclosure/#comment-1076 James K. Adamson Tue, 02 Mar 2010 13:21:43 +0000 http://newschoolsecurity.com/?p=1391#comment-1076 Grabbed this issue on my way through the airport to an infosec gig and am looking forward to reading the full article. Just the info on the growth of information being produced was mind boggling! Grabbed this issue on my way through the airport to an infosec gig and am looking forward to reading the full article. Just the info on the growth of information being produced was mind boggling!

]]>