Opinion

Letters

By CSO Contributor

October 01, 2003 — CSO — IT's a Matter of TrustWhen waging war, it's important to know who your enemies are. It might be even more important to know the exact coordinates of your friends. But how can you trust those friends if you don't know how they operate? Our July "Hall Monitors" story emphasized the need to know who's on your network and how they operate.

Mapping networks and performing penetration testing may provide some confidence level, but if the people who we have holding the keys to the castle intend harm or to just plain rip us off, all the other work could be wasted. Strong, deep "people due diligence" should always be part of the mitigation plan. Many methods exist to accomplish this, such as a background investigation that could reveal a past history of similar behavior. It's the people, not the machines!
William M. Besse
Director of Corporate Security

BeloOne Broken Window Begets AnotherEver walk by a broken window in a rundown building and feel the temptation to throw a rock? Our June CSO Undercover column, "Broken Windows in the Boardroom," emphasized the importance of remembering the little things that need to be fixed. And to then dole out the accountability. This reader agreed.

Your June CSO Undercover article makes a compelling case for accountability as a fundamental tenet of risk management and security policy. Well done. It seems so obvious but, as the marketing executive for a startup who is building a tool squarely targeted at the "knowledgeable, empowered insider" from an information theft and misuse perspective, I've seen repeatedly the implementation of policy without the will or the means to ensure employees and other insiders are accountableand not merely responsiblefor their actions.
Bill Fletcher
VP of Business Development
VerdasysThe Heat Is OnIn baseball, when a pitcher is described as "bringing the heat," it means he's going to throw the ball with great force. If you fear the heat, you'll need to step back from the plate. Same is true in security. But our July column, "If You Can't Stand the Heat, Don't Call 'Em," provoked a bit of rage. It's about calling in law enforcementthe heat, if you will. Apparently, several of you won't.

This article unduly spreads fear and perpetuates the urban myth that calling in law enforcement for an IT penetration incident should be avoided. And it undermines our collective security efforts.

Calling in law enforcement when economic losses exceed $5,000 (which is not very difficult to quantify) can benefit a business by limiting liability, mitigating damage and helping stop perpetrators, yet it does remain a business decision.