Security accountability: We’re off

Remember the Vasco i.e. Diginotar certificate breach scandal ..? For the many that don’t read Dutch easily enough, the gist of this court decision is that the previous owners of Diginotar are accountable for the damages to Vasco following the breach since the previous Diginotar owners hadn’t secured their systems well enough.

There’s a lot to be said here.

  • E.g., that the security lapses could have been known. Due diligence …? Well, the PwC reports were all green traffic lights, at the procedures-on-paper level. But a couple of years before the take-over, already a third party (ITSec, which I know for their good work [disclaimer: have no business relations]) had notified Diginotar about shop-floor level deficiencies. That remained uncorrected.
     
  • Add to that, that actually, the previous owners themselves started legal claims. Because a major part of their sale proceeds were still held in escrow, and they wanted the monay. Vasco filed a counter claim; logically, and won.
     
  • Also, the auditors that had time and time again ‘assured’ the security of the scheme (and don’t get me started about limiting the scope of such assurance in scope vagueness or in the fine print!), haven’t felt too much backfire. Yet, hopefully. Though recently, the same firm announced an initiative towards a new, proprietary one can guess, security standard. Right.

So, are we finally seeing accountability breaking through ..? I already posted something on the Target Cxx stepdown for similar security lapse(s). Now this one. The trickle’s there, let the deluge follow. That‘ll teach ’em! And of course, generate a humongous market for backlog bug remediation, from the software levels up through controls to governance levels…
Even if that would stifle innovation for a while. Would that be a bad thing; having only the real improvements breaking through and not the junk ones ..?

OK then, now for a picture:
DSCN0358[Monteriggione security was effective, until not, then abandoned as control approach… they did, why not all of us today?]

Advertisements

About maverisk

Maverisk Consultancy, IS Audit and Advisory services: Wikinomics meets governance and audit; otherwise, see my personal LinkedIn profile
This entry was posted in ERM, GRC, Information Risk Management, Information Security, Innovation (technologicallly driven) and tagged , , , . Bookmark the permalink.

Your comments are welcomed!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s