Oops moments
So by now everyone should be familiar with the fact that a security vendor (which, ironically, sells a DLP solution) has leaked a list of participants to a Sydney security summit conference. Included were their names, email addresses and phone numbers. Over 1000 records were leaked.
Oops happens. DLP might not be configured correctly. Time to review policies. Time to train marketing folk to review their emails before hitting “send”.
To me what was interesting was something said by their VP of APAC sales who was interviewed on risky biz, a somewhat amusing and deferent Australian security podcast at http://risky.biz/netcasts/risky-business/risky-business-117-mcafee-tries-explain-data-loss-incident. The VP claimed (20:30) that the breach was not as “serious data” as say ”financial information or mission critical information”, but just a contact list. That comment sheds light on misunderstandings and confusion around what constitutes confidential data and the difference between IP and entrusted data.
To the vendor, the data was just a contact list. It was not their “financial data” nor “mission critical information”. In the words of the VP, this was not “serious data” but a “contact list”. What seemed to be overlooked was that the data was important to the customer. The VP was unable to take the customer’s point-of-view (POV) and thus accept the vendors responsibility for customer data. Amusing, but it points to a basic flaw in human reasoning.
In providing DLP consulting I find that the ability to change a POV is a critical competency for the security expert. The ability to realize that “what is important to me” might differ from “what is important to them” is critical for a successful DLP deployment. The ability to don on HR glasses, R&D glasses or customer glasses and try to understand what is important to them is critical.
Unfortunately, the ability to shift POV is a new requirement for the security expert. The nature of the threat has changed with DLP.
When dealing with inbound threats, we all face the same challanges. To quote William Shakespeare “If you prick us do we not bleed? If you tickle us do we not laugh? If you poison us do we not die? And if you wrong us shall we not revenge?”. We are all in the same boat. I do not want a virus to attack my machine. You do not want a virus to attack your machine. I do not want a keylogger to log my bank passwords. You should not want a keylogger to log your bank passwords. I do not want my blog to be made unavailable by a DOS attack. And I guess you do not want your blog to be made unavailable by a DOS attack.
But as for data, my confidential data is (probably) wholly different than your data. We might share an aversion to the loss of credit card data and national ID numbers (or SSNs) but the usage patterns of that data and the need to collect and store that data changes from user to user. And my IP (intellectual property) is wholly different than yours (unless I was careless with my data OR you were careless with your data, and we got to share in the booty!). For this, the security professional must be able to put themselves in the shoes of their businesses, users and partners (e.g. customers), understand their needs, and assist them in securing their processes and procedures. DLP can help by exposing the uses and abuses of the data, but it cannot do the process work for the professional.
I find that the ability to change POV seems to come with experience and maturity of the professional along with the inevitable tossing out of security dogmatism and the acceptance of practiced pragmatism. I guess if you wait long enough, it shall come (or not).
Cheers mates,
/al