Shostack + Friends Blog Archive



Consulting firms are interesting beasts. Often, they are able to make great changes in their clients’ organizations, perhaps not so much because their people are smarter, or even more knowledgable, but because they aren’t subject to the same incentives (pecuniary and otherwise) that client employees face.

Even in cases where a comparatively ordinary service is performed, external auditing for example, the presumed objectivity and expertise of the specialist outsider provide great power. At the moment, such services are in high demand because the US regulatory environment is changing. Sarbanes-Oxley isn’t new, but it’s new enough that firms are willing to pay (and pay big) for someone to tell them what the right thing to do is. Similar examples of the power of the consultancy are easy to find.
That leverage, however, cuts both ways. The large fees which firms are, at least for the moment, willing to pay are a very powerful tool which a handful of people could use to make a significant improvement in the handling of sensitive personal information, more or less just by asking for it.
Over the last few days, both Deloitte and Ernst and Young, have lost sensitive client data including names and social security numbers — Deloitte left a CD on an airplane, and E&Y had a laptop stolen from a car. In neither case was encryption used. I bet it would be used if a few clients simply picked up the phone and demanded it. Sure, switching costs are large, and there are only four (or is it 3?) choices. But at the same time, costs for a professional services firm to deploy something like PGP Desktop (not a product endorsement, YMMV, do not taunt happy fun ball) wouldn’t be that high, and nobody wants to tick off a client over a small matter. Long story short, a phone call from (say) Google’s CFO or the Chair of their audit committee could probably have at least some of the Big 4 encrypting all mobile client data, and thereby modeling responsible behavior for their clients.