Wednesday, April 26, 2006

Disaster Stories Help Envisage Risks

The April 2006 issue of Information Security Magazine features an article titled Security Survivor All-Stars. It profiles people at five locations -- LexisNexis, U Cal-Berkeley, ChoicePoint, CardSystems, and Georgia Technology Authority -- who suffered recent and well-publicized intrusions. My guess is that InfoSecMag managed to arrange these interviews by putting a "happy face spin" on the story: "We know your organization was a security mess, but let's look on the bright side and call you an all-star!" Although the article is light on details, I recommend reading these disaster stories. They help make security incidents more real to management.

ChoicePoint is one of the companies profiled. That story really bothers me. To know why, read The Five Most Shocking Things About the ChoicePoint Debacle and The Never-Ending ChoicePoint Story by Sarah D. Scalet. I noticed the InfoSecMag did not interview ChoicePoint chairman and CEO Derek V. Smith, author of The Risk Revolution: Threats Facing America & Technology’s Promise for a Safer Tomorrow and A Survival Guide in the Information Age (both published prior to the ChoicePoint debacle).

InfoSecMag also avoided interviewing former ChoicePoint CISO Rich Baich, author of Winning as a CISO. No, I am not making this up. This is the same Mr. Baich about whom Ms. Scalet wrote the following. Baich is speaking:

"Look, I'm the chief information security officer. Fraud doesn't relate to me." He indicated that he would be doing the CISO community a service by explaining to the media why fraud was not an information security issue. (The company later denied his request to grant the interview.)

The feds, however, are acting as if it's an information security issue. ChoicePoint has indicated that the Federal Trade Commission is "conducting an inquiry into our compliance with federal laws governing consumer information security and related issues."

In this interview with TechTarget, Baich says:

It's created a media frenzy; this has been mislabeled a hack and a security breach. That's such a negative impression that suggests we failed to provide adequate protection. Fraud happens every day. Hacks don't.

Wow, this guy is out of touch. Instead of having difficulty finding work, now he's on the speaking circuit as a Managing Director with PriceWaterhouseCoopers. And why is he still a CISSP? This is an excellent example of problems with the CISSP -- no one loses their certification.

For a stark contrast, peruse the Maryland Real Estate Commission - Disciplinary Actions site. You can read about the real estate workers who lost their licenses for mispractice. It is sad to think that information security is treated less seriously than selling real estate.

By the way -- everyone who wants an overview of risk management frameworks should read Alphabet Soup by Shon Harris in the same InfoSecMag issue.


Anonymous said...

That entire issue of Info Sec Mag was a prime example with whats wrong with Info Sec.

They interviewed the the guys that made the biggest mistekes in security as if they are super stars.


Dr Anton Chuvakin said...

So what's worse: media hyping up loser CSOs or media hyping up criminal hackers... hmmmm, its a tough one ;-)