The Visibility of Information Risk Management

Filed by Alex | 4 comments


  • I picked up today’s WSJ and got a cold, hard dose of reality.  In it, is an article called “Data Security Breaches Reach a Record in 2007″.  It’s a fairly retrospective article that discusses the four to eight-fold increase in compromised records for EOY 2007 vs. EOY 2006 (the discrepancy in increase estimates is due to Attrition.org using deposition information from Visa & Mastercard in the TJX case, vs. the “only” 46 million number used by TJX).

    What is most disturbing to me is not the increase from 2006.  It’s not that the AP article is inaccurate, or that I see how others report on our industry from afar and I find it lacking.  What is disturbing is that it’s buried at the back of section B - right noext to the page and a half or so of legal notices.

    It’s filler.

    If you’re going to read it, note also that there is no direct or indirect correlation of breach data to business impact.   I don’t blame the WSJ or AP for this.  I blame us.  Until we’re able to discuss risk and costs within the same contexts as other business units - we’ll continue to be obscurata (obscure information of relative interest brought to social conscious as a lark).

    Posted on December 31

    • 4 comments

    1. shrdlu Dec 31

      Alex, to play devil’s advocate — if it’s considered filler, then clearly it isn’t enough of a risk to the business world for them to worry about it. If there were big enough (real) losses, often enough, then the business would care. As it is, only ChoicePoint went under; nobody’s going to care until that happens frequently enough that they’re afraid of becoming ChoicePoint.

      Real business loss tends to show itself unmistakably in the pocketbook, where the CFO stands up and takes notice. It may just be that we security people are the only ones upset because it really isn’t a business problem.

    2. Anthony Franks Jan 7

      This I think is symptomatic of a wider problem: the CSO rarely is part of the C-Suite, and is therefore unable to comment on the business impact of a security breach. Too often people (often the IT department) will simply shrug their shoulders and say “Oh well, these things happen…” However, I sense the tide is turning, and the various regulatory and compliance requirements will bite someone very hard indeed, and then watch people snap to attention and get in line………………….

    3. Adam Feb 14

      Choicepoint is still operational. Only Verus and CardSystems have gone under.

    1. www.andrewhay.ca » Suggested Blog Reading - Saturday January 2nd, 2007

    Leave a reply