[/caption]It's pretty clear at this point that there's a trending of attacks focused on security solution providers. The most recent victim in the post-HBGary landscape is RSA.
A lot of people seem to be talking about what they believe actually happened during the breach. The company has yet to officially comment on the details of the incident and seems to be wordsmithing any communication to the outside world pretty heavily. While I'm sure the technical facts will be interesting, and that they will make their way around the rumor mill eventually, I'd like to talk instead about something that I feel is more important - due and reciprocal care.
The medical industry seems to have this concept pretty well wrapped up. If you ask a psychologist, "who listens to your problems?" they will tell you that their psychologist does. This is because it is considered unprofessional, and in some cases a violation of ethics code to self-diagnose, self-prescribe, and self-medicate. Of course, this begs the question of who treats the psychologist that treated the first psychologist? Well, another psychologist of course. So, theoretically, as long as there are at least 3 physicians in the world who practice psychology, this model will continue to function, and we won't end up with a bunch of mentally disturbed psychologists.
I doubt anyone on the professional services end of the information security industry would argue that there's a shortage of proprietors offering security assessment and remediation. So then why do things like the RSA incident happen? It's because nobody is examining the physician. In fact, I'd be willing to bet that if you took a sample set of posture assessments from top 10 information security product and service vendors, the results of what's already left the building would be staggering. Further, most people close to the steam will tell you that things have not changed dramatically from the days when the entire Solaris source tree was essentially public domain in the hacker underground, and Larry Ellison's personal passwords were in a t-file.
Why? It's simple. Just because your company's primary business is security does not mean that you possess said security. What it does mean, however is that the risk you take is not only limited your standard business risk, but that your reputation is predicated on your ability to protect own your assets in the same manner that you would help the customer protect theirs.
So that you don't think we're calling the kettle black, we have in fact engaged an outside advisor to look at the company footprint, assess security, and make recommendations for remediation. If you're a security vendor, shouldn't you?
No comments:
Post a Comment