Saturday, September 27, 2008
700 Billion Dollar Information Security Bailout
1). Failed regulatory oversight (SOXs, HIPAA, GLBA)
2). Failed self regulation (PCI, ISO)
3). Failure for consumers to manage risk (education, awareness)
4). Failure for companies to manage risk (risk analysis, awareness)
5). Failure for the current bailout to protect the consumer (no need to explain)
6). Reaction only when a threat is upon us (building security in vs slap on)
In both situations, the consumer is talked about...held up as the main focus, but the actions do not seem to support protecting them. Look closely at our privacy laws, security laws and identity theft laws and you can see the lack of any real consumer based legal causes of actions that are available.
Do you see any opportunity to leverage the current crisis to finally focus on the consumer privacy and security rights? At a time when the government is calling upon greater oversight and regulatory authority, should the security industry be lobbying to get the consumer protections front and center?
The unfortunate thing is the agents of change are the ones most guilty of violating consumer privacy and security. Much of the meltdown has been the savage exploitation of consumer behavior. Have we also considered that much of corporate behaviors in information security are trending in the wrong direction? Have we also considered that bureaucrats and politicians are too easily swayed by corporate leaders?
Risk management shouldn't be a cliche phrase thrown about by the likes of process weenies such as Robert Mcilree. In the same way and the folks over at Gartner and CMMi advocate that process can be a substitute for competence, information security in many large enterprises are equally guilty of using it as a substitute for true risk management.
Identity management is one thing that is way overhyped where every enterprise was forced into a one size fits all approach instead of focusing on optimizing cost/benefit for any given situation. Would Pat Patterson, Nishant Kaushik and others acknowledge guilt? I think not as their employers are technology legislators that have generated a hype cyclce that is a boon to consultants and have helped generate a lot of paperwork and control process but otherwise has become a distraction from core risk management practices and ends up being an architecture that is driven by the whims of an external auditing group rather than targeting a prioritized list of business specific risks.
So, let's acknowledge that what will save the day is architecture and that maybe we do need a new kind of leadership, one that understands the need for an agile enterprise architecture, strong technical leadership and an understanding of the human aspects of technology. The key is whether the masses will stand up for what is right or simply devolve back into perception management.
The government needs OWASP style governance. For the current power structure, don't worry, your jobs are safe as no one is listening...
Links to this post: