Shostack + Friends Blog Archive


Wondering about Phenomenon

Yesterday, Russell posted in our amusements category about the avoidance of data sharing.

He gives an anecdote about “you,” presumably a security professional, talking to executives about sharing security information. I’d like to offer an alternate anecdote.

Executive: “So we got the audit report in, and it doesn’t look great. I was talking to some of my CEO buddies on the golf course about it…”
You (interrupting): “My god! You did what?!?”
Executive: “We were talking about a lot of stuff, and we got onto audit results.”
You: “You can’t do that! It might add to our problems!”
Executive: “I’m sorry, I didn’t realize. I figured we were talking strategy, how business is going in the recession, and why we spend so darn much money on PIC audits. We’re pretty open with each other.”
You: “We need to keep that sort of thing confidential.”
Executive: “Ok, no problem.”

I’ve seen executives look to their staff for a nod, and when we shake our heads no, they acquire the belief that we shouldn’t talk about security stuff. But if we nodded instead, the world would be a different place.

Which anecdote do you think is a better representation?

(Hey, it’s Friday. We’ll get all New School again on Monday.)