Friday, June 24, 2011

It will never be enough.

A recent Wall Street Journal article began, “think of it as a mansion with a high-tech security system - but the front door wasn’t locked tight." Wrong. Not fair. Not true. Curious.

I would hate to be a info security professional right now.
However, it’s a great time to be info security because there is endless work.

Imagine making your best efforts and that not being sufficient. Imagine that every day someone with serious motivation and increasing sophistication tries to crack the security perimeter around your info treasure trove. Imagine you have loads of personal information or company trade secrets which you spend millions protecting. Imagine hiring the best info security employees, using all the best practices to lock down data and that is still not enough. Imagine for all your efforts the laws don’t care about trying or effort, but penalize you if your info is exposed.

I believe there are many great companies in precisely that situation - loads of data that they have gone to great pains to protect and it is simply insufficient. Many laws now require that anyone impacted by their info being exposed, even when such action is done by a criminal, get notice and sometimes “compensation” for the harm caused.

In the legal world, what this begins to sound like is that there is “strict liability” for data breaches, even when the harm was perpetrated by a criminal. Best efforts may not be protection. Doing the right thing is not enough. Being prudent is not good enough. Only thing that matters is keeping data protected.

Recent attacks include Citibank, ADP, and the US government. All with great incentive to get it right. No one is immune. I know they care and seek to do their best and still desire to get it right. But, technology imperfections and criminal creativity wins.

You can’t spend enough to protect the place.
You can’t be vigilant enough.
No matter what you do, it won’t be enough. A stronger hammer can always find the small window to the front door of the otherwise high tech protected mansion and smash the window and no law can change that.

Thursday, June 9, 2011

A guy takes a picture . . .

A guy takes a picture of his package. A guy takes a picture of his package and seeks to send it to a girl. A guy takes a picture of his package and seeks to send it to a girl via Twitter. A guy takes a picture of his package and seeks to send it to a girl via Twitter but, she is in high school. A guy takes a picture of his package and seeks to send it to a girl via Twitter but she is in high school and he is married. A guy takes a picture of his package and seeks to send it to a girl via Twitter but she is in high school and he is married and he is a US Congressman. A guy takes a picture of his package and seeks to send it to a girl via Twitter but she is in high school and he is married and he is a US Congressman and he mis-transmits, sending the image to tens of thousands of Twitter followers. A guy takes a picture of his package and seeks to send it to a girl via Twitter but she is in high school and he is married and he is a US Congressman and he mis-transmits, sending the image to ten of thousands of Twitter followers and he lies about it and says his device was hijacked or something like that.

Nearly a decade ago I wrote “eMail Rules” (which is still relevant and still being sold) that would have provided Weiner guidance to help save his job and everything else he has lost in the last two weeks. If money would have been an issue, it could have been bought on eBay for just a few dollars. Seems a small price to save your job.

Are you kidding me.