Shostack + Friends Blog Archive

What’s Next In Breach Analysis?

I asked recently “Is It Time To End the Breaches Category?” I think we, amongst others, have driven real change in expectations. Organizations outside the US, not compelled by any law, have chosen to notify customers. (Examples include a Bank of Montreal latop [link to http://ottsun.canoe.ca/News/OttawaAndRegion/2006/09/08/1814249-sun.html no longer works], the Government of British Columbia, KDDI, a Japanese phone company [link to http://www.digitalworldtokyo.com/2006/06/kddi_leaks_data_on_4_million_c.php no longer works], the Bank of Bermuda, the Grand Hotel, Brighton, UK, and others.

When I started on this, I didn’t have a deep analysis. I found it interesting, and I’ve done well by following my instincts in the past. I now know that California’s SB 1386 is one of the most important developments in recent information security history. The opportunities that it creates for empiricists are tremendously important. Similarly, the opportunity to overcome the military-derived anti-disclosure approach to information security is tremendous, rare, and not to be squandered.

As most honest practitioners are willing to admit, security work is tremendously challenging because there are a great many things we don’t know. Metrics are hard to gather, and hard to share, in part, because we have a fear of talking about what’s going on. But over hundreds of breaches, there are few lost jobs. Only one company has sold their assets at a fire sale (CardSystems Solutions. There’s 30+ mentions in our breach category archive.) It seems the stock market doesn’t care. I’ve argued these points in more detail in “Transparency is good for the soul (of our profession)” and more generally in the breach analysis category.

So where do we go from here?

Originally published by adam on 19 Sep 2006
Last modified on 31 Mar 2018
Categories:   breach analysis