Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security should no longer be 'cementing' the status quo

Michael Oberlaender | March 21, 2014
If your security program is struggling, don't stick with it simply because it's the way things have always been done. Sometimes, adaptation and change can be for the better

Again, the reason why laws and regulations are needed in this space — but again, it would be great to focus on data avoidance, better processes around healthcare, and more privacy for the patient. Why do they have data stored in all kinds of data bases instead of a mobile device with military graded encryption and a key (opening access device) that only the patient (customer) has control over?

Or look at SOX and SSAE16 (former SAS70 type II) regulations; after the global community faced management oversight scandals like Enron, WorldCom and many others, stronger laws and control regimes were put in place. Another reactive model approach where first there is only limited regulation following the mantra "the free market will fix it", then big damage (in addition to the direct one) is done to third-parties such as the stockholders, owners, or other such beneficiaries of the entities whose management has not acted properly or even performed fraud, and then some re-active measure is put in place, which puts a heavy burden and lots of in-efficient efforts into the auditors and others directly involved.

And, to be fair to management — if you're the CEO / CFO of company XYZ and you now sign a statement each year that is your "go-to-jail if someone in your organization messed up"-card, you still risk a lot regardless of how many controls you have implemented and how much integrity you stand for.

Another great example of a complete wrong approach is the misuse of the Social Security Numbers (SSNs) in the United States of America by banks, credit bureaus, insurance companies, doctors, health plans, utilities, and the many other entities for either authentication or verification purposes. Why on earth would a government-issued number that is meant to be for tax and social benefit purposes only be allowed for this kind of non-purposeful misuse and therefore only create the potential for fraud and ID-theft?

These are all reactive and ineffective controls. Instead, one should ask: "How can we make sure that processes are designed and built so that they are secure and can't be overwritten or fumbled with by management, or IT super-users, or others?" and "How can we control/access/publish financial parameters of a company (entity) that they become early-warning / leading indicators, and ensure transparency to all — so that 'insider-trading' and similar threats are not possible by design"?

We should create systems and processes where a change is 100% detected, tracked, and managed (accounted for), so that misuse, fraud, insider-trade etc. is not possible. Insider-trading is only possible if there are "insiders" — anyone with advanced knowledge and access to information that others don't have. In the moment we create a third-party oversight regime with stringent, transparent, effective and efficient change control mechanisms, we solve the root cause of the common problem, instead of fumbling with symptoms.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.