tssci security

HBR case study on data breaches

Boss, I Think Someone Stole Our Customer Data

The way Hoff puts it, sounds all too familiar. I can't count the number of times I've heard people talk about their systems and believe they're as secure as can be because they did one, some, or all of the following:

And then you say, "a determined hacker given enough time could break into it anyways." Ah! Should "good enough" be allowed in a security professionals' vocabulary?

Where was the Flayton's computer security incident response team (CSIRT)? The Secret Service was conducting surveillance to try and catch the perpetrator red handed. A competent CSIRT (not affiliated with any of the employees with access to the system) should have been on task right away to realize whether the affected cards was a result of a data breach at Flayton's. I agree with Jay Foley of the Identity Theft Resource Center in San Diego and think the CIO didn't have a grasp of the situation at all, before and after the incident.

CEO: "Are you saying, Sergei, that we're not actually PCI compliant?"

CIO: "We meet about 75% or so of the PCI requirements. That's better than average for retailers of our size."

CEO: "How have we been able to get away with that?"

CIO: "They don't scan us every day," Sergei demurred. "Compliance really is up to us, to me, in the end."

Yah, I think we really need to stop using compliance for needing security and doing security for compliance, and actually start doing security to be secure. A survey conducted recently of 250 CIO's and CISO's states 99% feel more secure this year than last. What??!

Posted by Marcin on Thursday, August 30, 2007 in Security.

blog comments powered by Disqus
blog comments powered by Disqus