Comments on: Personal Responsibility in Information Security

By: Chaordic Mind » Personal Responsibility in PCI

Chaordic Mind » Personal Responsibility in PCI — Sun, 16 Aug 2009 19:42:58 +0000

[...] week’s personal responsibility award goes to Rich Mogull for his excellent point-for-point response to Robert Carr, Heartland CEO, [...]

By: Interesting Information Security Bits for 08/10/2009 | Infosec Ramblings

Interesting Information Security Bits for 08/10/2009 | Infosec Ramblings — Mon, 10 Aug 2009 22:40:31 +0000

[...] response to Nick’s post on Fudsec. Chaordic Mind >> Personal Responsibility in Information Security Tags: ( general [...]

By: admin

admin — Mon, 10 Aug 2009 19:05:07 +0000

Nick,

I think we both agree more than others might imagine and I appreciate your call today to discuss the issues.

Long term we need to evolve any process we have that includes a movement towards both risk management (RM) and a capability and maturity model (CMM). This is the industry natural evolution of information security that many of us have heard being expressed for years.

I want to move the conversation forward while keeping the focus on individual self improvement, which for many larger companies will involve RM & CMM.

By: Nick Selby

Nick Selby — Mon, 10 Aug 2009 11:34:18 +0000

Excellent post, Mike, and I’m glad you wrote it (you raise great points). I think you misunderstand my main point. Interestingly, my post was entirely about personal responsibility. What I said was that abdicating your security stance to that dictated by rulesets was a breach of your fiduciary duties to shareholders; that compliance [to rulesets] is achieved as a result of well-managed risk (that is, taking responsibility for risk results in doing the right thing in the first place) and that CEOs who hand the government or PCI the reins to state the minimum standards as writ deserve to be fired. That is absolutely and totally about personal responsibility, moreover it is about integrity.

My post advocates is the separation of compliance tasks from the security department and an expansion of communication within organizations between traditional information security and other caches of useful security data. Of course I think frameworks and rulesets are a useful part of an organization’s IT strategy, but I repeat that compliance is not security.

Your comment about history showing that in the absence of legislation there exists a downward spiral of corporate responsibility towards protection of customer/consumer information and the well being of others? That’s a religious debate I won’t enter, but will say that, for example, breaches have and always will happen and that industry rulesets like PCI DSS has not stopped them any more than SOX prevents corruption and falsification of records. Compliance is not security, even when it’s compliance with a ruleset intended to increase security. I raise again the point that rulesets treat as static and definable that which is ethereal and constantly changing. I’m sorry you missed the skimmer relevance; I’ll let my blog post stand as is.

With respect to the question or whether someone said we couldn’t secure data, my point is that, with their hands full of compliance tasks, many organizations don’t have the resources or time to to proactive security.

Concrete, tactical example of how I believe organizations should cooperate? In the simplest of a thousand examples, marketing departments almost certainly have information on brand abuse. Only in the most forward-thinking organizations is this shared with the information security department (it’s a great leading indicator of hanky panky and could speak to issues of brand management, piracy, counterfeiting and even physical threat), when that and data like it should ALL be being shared to help bring awareness of risks to senior management.

Thanks again for this – it’s a really important discussion and I hope to continue it!

By: Robert kelly

Robert kelly — Mon, 10 Aug 2009 09:33:52 +0000

Great post! I totally agree with that - here is another post that points out your saying about data security and responsibility. I recommend reading the 1st and the 3rd posts.

By: Network Security Blog » Two must read posts on PCI

Network Security Blog » Two must read posts on PCI — Mon, 10 Aug 2009 04:36:02 +0000

[...] like Mike’s response and especially appreciate his point that security professionals have to stop using compliance as a scape goat for not securing their data. “I couldn’t secure my company because I was spending too much time worrying [...]

By: Ben

Ben — Sun, 09 Aug 2009 23:53:31 +0000

This is great stuff, Mike. I’ve been grappling with similar issues the last few months – under the guise of “responsibility without authority” – a problem of enablement that I think we’ve encouraged in the security industry. fwiw.
http://www.secureconsulting.net/2009/07/on_responsibility_without_auth.html

By: Jericho

Jericho — Sun, 09 Aug 2009 21:54:45 +0000

Are you suggesting that PCI is a “carrot-and-stick” approach? Companies are PCI compliant to avoid punishment (fines), perhaps a better analogy is in order?