Site Menu

Between a rock and a hard place

By Jim Hietala
Published 09/16/2008

I am reading Geekonomics at present, and while there are many reasons to praise the book, one of the key takeaways for me has been something that I haven't thought about previously. Namely, that the data breach laws that have come into existence in the past few years have put IT in an untenable situation, because they require disclosure of security breaches (and likely open the company up to legal consequences), but the company has no recourse on the back end. This is because even though many breaches can be directly traced to the software manufacturer's lack of software QA, as David Rice points out in the chapter entitled "Absolute Immunity: You Couldn't Sue Us Even If You Wanted To", software license agreements are highly one-sided, providing almost no ability for the user/IT organization to pursue the manufacturer.

The combination of data breach laws with the antiquated and one-sided license agreements prevalent in the software industry has put IT organizations into a "squeeze play" of sorts.

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com

Spread The Word

1 Response to "Between a rock and a hard place"

Joseph Webster

said this on 17 Sep 2008 12:37:52 PM EDT

While bad software design and QA certainly contribute and enable breaches, I'm not sure that the ability to sue software manufacturers would do much to address either the quality of software or the losses incurred from breaches. Verizon Business RISK Team “2008 Data Breach Investigations Report” reports these numbers: Attacks - from outside the organization: 73% implicating business partners: 39% from internal sources: 18% Median number of records compromised - from external attacks: 30000 from partner attacks: 187500 from internal threats: 375000 Internal attacks by IT admin: 50% My takeaway from these numbers is that while software flaws and incorrect configuration may enable attacks, the most direct damage is a result of mismanaged trust, in partners and people inside the company - half of which are IT admins. Perhaps the lesson that companies should learn is that their relationship with employees and partners directly effects their security posture and managing those trust relationships should be a priority. Or just figure out how to get software manufacturers to share the pain.

(Reply to this comment)