In a comment on “Drowning In Notices,” Phill Hallam-Baker writes:
My concern was that if the warning notices become too familiar they loose their impact. It might not just be the case people get blase about seeing them, they might lose their embarassment in sending them.
I don’t think people should be more embarrassed about losing data than they are about being mugged. It is very hard to offer good advice, grounded in actuarial analysis, of what makes an effective information security program. Absent that, we have best practices (I declare it a best practice, to, on hearing something described that way, to ask “Why?” seven times.*)
As such, companies put in place the best controls they can. Everyone gets broken into. Lets get over the idea that there are more than a few places in the world with good operational infosec.
* After the break, seven whys, asked and answered.
- Why? Because anyone can declare a best practice.
- Why? Because we lack data about what works, there are few effective ways to challenge some idiot with a “best practice” stamp.
- Why? Because people want to sweep failure under the rug, which inhibits data sharing, data analysis, and improvement.
- Why? Because failure is embarrassing, and sometimes career ending.
- Why? Because we hide those failures, unlike, say, the air transport industry. As long as we can hide these failures, failures will not be normalized, and will continue to be career ending. So having a law that mandates disclosure breaks this bad cycle.
- Why? Because too many of the people who worked on computer security early brought in the military model, where secrecy actually helps. See Peter Swire’s work.
- Why? Because it’s time to do better.