Shostack + Friends Blog Archive


Is there "Room for Debate?" in Breach Disclosure?

The New York Times has a “Room for Debate” on “Should Companies Tell Us When They Get Hacked?

It currently has 4 entries, 3 of which are dramatically in favor of more disclosure. I’m personally fond of Lee Tien’s “
We Need Better Notification Laws

My personal preference is of course (ahem) fascinating to you, since you’re reading this blog, but more seriously, it’s not what I expect anyone else to find interesting.

What’s interesting to me is that the only person who they could find to say no is Alexander Tabb, whose bio states that he “is a partner at TABB Group, a capital markets research and consulting firm.” I don’t want to insult Mr Tabb, and so found a fuller bio here, which includes “Mr. Tabb is an expert in the field of international affairs, with specialization in the developing world, crisis management, international security, supply chain security and travel safety and security. He joined Tabb Group in October 2004. [From 2001 to 2004] Mr. Tabb served as an Associate Managing Director of Security Services Group of Kroll Inc., the international risk consulting company.”

I find it fascinating that someone of his background is the naysayer. Perhaps the Times was unable to find anyone practicing in information security to claim that companies should not tell us when they’ve been hacked?