1) Due diligence — i.e., doing everything everybody else is doing — may be a great objective, but how do we know where to begin and what our most important issues/problems are? That’ll only come from being able to reasonably and defensibly evaluate/measure risk. So the two things (a due diligence approach and risk management) can co-exist, even compliment one another.

2) At least as I’ve seen it practiced generally, the “common practice” (due diligence) approach often ignores the fact that not only are we tasked with helping our employers manage security/risk, but also manage it cost-effectively. And as “good” as common practice might be, it’s often not particularly cost-effective (one-size-fits-all often doesn’t). Sometimes common practice is exactly the best and most cost-effective option, sometimes it’s not. As a responsible professional, our job is to recognize when it is or isn’t. Here again, the effectiveness component of cost-effectiveness is a matter risk reduction efficacy — which requires risk measurement.

Just my $.02

most execs understand this concept
it is not just a concept relevant to a legal context
not every jurisdiction is as litigious as the US
I regularly use the concept of diligence vs.negligence in positioning an information security program .
A view of “Negligence” arises when a post incident review, audit or regulators report arrives at a position that there are inadequate security controls and that this either directly or indirectly contributed to the incident and or breach.

assurance, risk management and directors accountability are defined in the context of diligence, adequate vs negligent and inadequate

so advising an exec that the current state of information security capability and controls are inadequate and if subject to an independent and standards based review, that the overall assessment would be that the exec had been negligent is a useful narrative

I disagree with your falsification point, but online insomuch as its colored by my theory of legal defensibility, not as it pertains to this antiquated “due diligence” concept. Ultimately it hinges on what is “reasonable,” and that can end up costing the plaintiffs more than is worthwhile in a civil proceeding.

Of course, IANAL, nor do I play one on TV. I’m always reminded of my cyberlaw prof who started the first class by asking “Can you sue?” The answer is always “yes,” but it also turns out to be the wrong question. It’s not a matter of “can,” but rather “should you sue?”

As preposterous as this might seem to you, IIRC – the UK at some point in the not so distant past has discussed prosecution under criminal law.

I do have to admit that after posting this and explaining my thoughts on interpreting the concept of criminal negligence, Mrs. Hutton (Esq.) gave me the “well, it’s certainly possible” (which means, “not likely” in her estimation), and in the States (at least), she thinks that these sorts of cases are difficult to bring against corporations.

RE: Civil procedures, I’ll argue that the concept of falsification still stands. Be it a government or industry acting as plaintiff – the Burden of Proof doesn’t seem to be so burdensome at this point. From what I understand, rather esoteric violations certain standards are used to make the plaintiff’s case.

Nope, wasn’t you I was talking about.

AH

1) Presumption of innocence only applies to criminal cases, not to civil litigation. So, you’re working from a faulty premise, since the majority of litigation over breaches are going to occur as civil proceedings.

2) In civilian litigation, there is no prosecutor. You only get those when you’re talking about breaking laws, which I’ve already noted is not the majority of cases relative to breaches (today, anyway).

3) You’ve cast “due diligence” in an inappropriately severe and sparse role. If the defendant argues, and demonstrates, that they’ve done what was reasonable in defending their organization, then the plaintiff finding anomalies will not be sufficient to undermine the defense. Your statement that “your ability to prove Due Diligence as a defendant will be a function your ability to prove all swans white” is then incorrect. It is *not* an all-or-nothing position.

In fact, if one builds their security strategy from the perspective of expecting to be breached and doing what is reasonable to protect, detect, and correct, then the plaintiff’s burden of proof will actually be much higher in terms of proving wrongdoing. If we assume that a breach is going to happen, then your legal defense is less about that you didn’t stop the breach from occurring, and more about demonstrating that you took reasonable measures to prevent it, detected it in a reasonable period of time, and took reasonable steps to resolve the breach in a reasonable period of time. This is the premise of my “legal defensibility” argument, in fact (I’ll be blogging about this tomorrow, in fact), complete with ties into networked systems survivability.

4) As a side-note, a legally defensible position would absolute leverage risk management. *I* certainly never said it wouldn’t, but have said that I think too much focus is put on risk management when very few people/organizations have the slightest inkling of how to do formal risk management. If you’re not doing formal risk management, then I seriously question the validity of claiming to be doing “risk management” since it quickly devolves into subjective and biased flailing.

5) Finally, on your conclusion, I must disagree, but only to a degree. Yes, it could back-fire and put the CISO in a tough spot, but I think what you’re overlooking is that the main reason to use a “legal defensibility” approach (which you’ve boiled down poorly into the inadequate and antiquated “due diligence” phrase) is that it squarely puts the ball into the court of business leaders, removing a lot of the abstraction that goes along with much of info risk mgmt and security practices these days. Starting from the perspective of “when a breach happens and we get sued, how will we prove that we did what was reasonable?” then I’m finding that business leaders actually understand what I’m talking about, whereas when I’ve tried talking risk management in the past they immediately fall into the checklist+compliance mindset of “just resolve the critical and high findings, report as necessary, and otherwise leave us alone.”

More importantly, legal defensibility as an approach can lead to legislation with hooks because the concept meshes very well with the court system, and can even some day translate into criminal code that could apply some much-needed teeth.

MAJOR CAVEAT: Much of this line of thinking hinges on what is “reasonable,” which is obviously not cut-n-dry by any stretch of the imagination. Even better, it ultimately comes down to what is “reasonably foreseeable.” This kind of gets into that fabled “unknown unknowns” territory, and who knows what that even means. What it does *not* mean is just complying with a given regulation as we have ample examples that such a narrow focus is *not* reasonable. The good news is that this is where good lawyers become invaluable, and where the real fun of Law comes into play.

Bonus, a good third of my due diligent reasonable controls are refused by the very customers they’re supposed to protect. Too expensive, too inconvenient, etc. I explain the risk and they say “so what?” Then I make em sign off and I’m done.

Of course, to get this state, one needs to do some good risk analysis. And that is part of what is reasonably expected – as baked into almost every compliance standard. But you knew that.