Blog

Let this be a lesson… Cyber security is not just about malicious hackers and crackers. We often say this, carelessly throwing the term around while the pundits nod their heads yes in passive acceptance. But what does this really mean? The terms “malicious” and “unintentional” are batted around in a fashion likened to security buzz-word volleyball. It is not merely enough to be buzz word compliant, security is a discipline which we must live or adhere to. I have given countless talks in the past few years, and I often define security as “any negative event that can cause an impact to the business.” This is a very broad definition indeed, but it does help people understand that mistakes, unintended consequences, internal criminal acts, and external criminal acts all fall within this context.

I’m not sure if its willful complacency or ignorance of the problem, but the message continues to not sink in. Many of us do not focus on the unintentional at all, chalking them up to “oh well.” Many more spend all of their time and money thinking that security is an IT problem, or a technological problem, and therefore lose focus on everything else. Let’s keep in mind, however, that many of the recent events, such as the CAL-ISO event, have been non-technical in nature and still had serious consequences.

Looking at the news today, I found an interesting story on the damages now being awarded in the case against a dog food manufacturer that sold contaminated product that ended up killing and sickening a number of pets in the United States. Diamond Pet Food’s South Carolina plant decided to settle after lawyers proved that they failed to follow internal quality testing procedures and as such released contaminated product. The settlement details include over $3.1M US in damages to cover unreturned product, vet bills, loss of the pet, etc. This is a failure to follow procedures, this is an example of inadequate procedures and checks and balances, this is a failure of quality testing a multiple levels to ensure that this can’t happen, this impacted the business (and far more than the $3.1M award when lawyer’s fees, lost reputation, and other factors are weighed in).

This should be a reminder for the New Year… On Jan 1 the counters start over and we begin fresh. Will this be the year that we learn the lessons before experience gives us the consequence? Experience is a poor teacher, but sadly it is all too often the way we learn. Watching the indicators out there, the miscreants are watching us as we watch them, people are becoming more aware, the field of security providers is expanding, and so does the list of events we should be paying attention to.

Our best wishes to all out there for a prosperous and blessed New Year. We hope that for all of you out there that the message of security sinks in and that we can all continue to work together to drive towards lower total risk, and benefit driven security.