Shostack + Friends Blog Archive


The Economist on Breach Disclosure

In “New rules for big data,” the Economist seems to advocate for more disclosure of security problems:

The benefits of information security—protecting computer systems and networks—are inherently invisible: if threats have been averted, things work as normal. That means it often gets neglected. One way to deal with that is to disclose more information. A pioneering law in California in 2003 required companies to notify people if a security breach had compromised their personal information, which pushed companies to invest more in prevention. The model has been adopted in other states and could be used more widely.

In addition, regulators could require large companies to undergo an annual information-security audit by an accredited third party, similar to financial audits for listed companies. Information about vulnerabilities would be kept confidential, but it could be used by firms to improve their practices and handed to regulators if problems arose. It could even be a requirement for insurance coverage, allowing a market for information security to emerge.

I think it’s cool. You don’t. Discuss.

3 comments on "The Economist on Breach Disclosure"

  • James K. Adamson says:

    Grabbed this issue on my way through the airport to an infosec gig and am looking forward to reading the full article. Just the info on the growth of information being produced was mind boggling!

  • Ben says:

    I think this is a very good thing, to be honest. Sorry to disappoint and agree with you! 🙂 We chatted a bit about it at the ABA InfoSec Committee meeting over the weekend and even the lawyers think it’s a good idea to have better breach reporting. It’s almost like the world is becoming so insane that it’s actually sane. 🙂

  • LonerVamp says:

    I need to grab a copy of the article, but just to add some comments…

    First, I will always agree that sharing information and disclosing breaches is a benefit, from a security perspective.

    Has this pushed companies to invest more in prevention? I’m not sure. I think plenty is spent on avoiding disclosures, reducing compliance/risk scope, and satisfying audits. Does that improve prevention or detection? Hard to say.

    I always wait for comparisons between IT security audits and financial audits; hell I often find myself thinking the same thing. My big problem with that, though, is similar to why I think checklist compliance is weak. Financial practices are very objective, painfully so. There are only so many ways to do things, and while it is mindboggling to non-accountants, they ultimately all do make predictable and comparable sense. IT solutions are still as much artful as they are predictable. One company’s network may dramatically differ from another company, even those in direct competition to each other in the same exact space. How do you get any sort of checklist that will be effective enough to offer value across the board without incurring even more financial barriers to entry into business in a digital world?

    That rant dives pretty far into checklist compliance, but if anyone wants to start having public audits and comparisons like financial audits, it’s a dirty and necessary topic. Then again, it’s not like insurance (or financial audits to reflect business ethics/health) is an exact science…

Comments are closed.