Wednesday, December 17, 2008

The security double whammy

A lot of the recent news is about how the recession will cause increases in cyber threats. Combining that with reduced investment in security, and you have a true double whammy. And some want to add icing to the cake by suggesting that employees will also become more tempted to steal data..

Nice - a triple whammy!

Organizations should be cognizant of the tradeoffs they are making from a risk management perspective. Even if one cannot get everything complete, use the old 80/20 rule to ensure the high priority and projects that will reduce the most risk get implemented. No use being penny wise and pound foolish...

1 comment:

Tim Hollebeek said...

Full Disclosure: I work with Manu.

That said, I have a research background, where it has long been realized that the state of information assurance is not just horrible, it's getting worse. This isn't just fear mongering. Right now, most of the people with the knowledge to cause serious damage are otherwise gainfully employed. If the people around the world who have worked hard to build our IT infrastructure find themselves in desperate situations, it would only take a few to do a lot of damage.

Unfortunately, underinvesting in computer security is the rational decision (read _Geekonomics_ if you don't agree). This puts security evangelists in a tough spot. Frankly, it is going to take a massive security meltdown to shift the world to where companies have the responsibility to keep information secure, and companies are liable for not doing so. We're seeing movement in that direction: mandatory breach notification, PCI, HIPAA, SOX, and so on. But we've been lucky so far. Some day soon, we may find out whose information security practices are hopelessly inadequate, and the economic situation suggests it may happen in the next year or two. People need to be thinking hard about whether their information security practices can withstand a hostile audit, because participation won't be optional, and the cost of failure is increased expenses when you can least afford them.

Tim Hollebeek