Elsewhere in the New School department
Dennis Fisher wrote “Why Bob Maley’s Firing is Bad for All of Us:”
The news that Pennsylvania CISO Bob Maley lost his job for publicly discussing a security incident at last week’s RSA Conference really shouldn’t come as a surprise, but it does. Even for a government agency, this kind of lack of understanding of what actually matters is appalling and it is a glaring example of the sickness of secrecy that’s infected far too much of the security community.
and Adrian Lane wrote “FireStarter: IP Breach Disclosure, No-Way, No-How:”
On Monday March 1st, the Experienced Security Professionals Program (ESPP) was held at the RSA conference, gathering 100+ practitioners to discuss and debate a few topics… As could be expected, the issue of breach disclosure came up, and of course several corporate representatives pulled out the tired argument of “protecting their company” as their reason to not disclose breaches. The FBI and US Department of Justice representatives on the panel referenced several examples where public firms have gone so far as to file an injunction against the FBI and other federal entities to stop investigating breaches. Yes, you read that correctly. Companies sued to stop the FBI from investigating.
If we had a stamp of approval, I’d be stamping both of these posts. But as is, I’ll just point at them and say “stop what you’re doin’, cause they’re about to ruin it.”
Nice Digital Underground pull . . .
Somewhere, a few years ago, there was a study done about how there isn’t really a serious or prolonged impact on the stock price of a company after word of a breach gets out.
Likewise I’m sure someone can provide info on how many C-level folks aren’t ousted by their Boards or shareholders after a major breach is announced.
Which begs the question: If the reason for not sharing/investigating is about protecting the company and its shareholders, what data are they using to justify silence/obstruction?