Life or Death Decisions in Information Security

On Friday an Albany police officer shot and killed a 19-year old male when a routine traffic stop turned violent.

The suspect and deceased allegedly reached for the loaded .22 caliber handgun that he was carrying after the SUV he was driving was stopped for a traffic violation. Officers shot and killed the man, claiming self-defense.

A public press hearing was held which quickly became explosive, a chaotic scene high with emotions.

While it is difficult to draw analogies between a shooting and cybercrime, one can draw some parallels between the physical and cyber realms. It is often difficult to know the best course of action in either. And in both cases, there is rarely enough time or information to make good decisions.

There are no absolutes in our business.

One can draw many conclusions about the potential outcomes of not neutralizing an allegedly enraged and armed suspect on the streets of downtown Albany. We can also make some assumptions about the effects of negligent or absent security controls in the workplace. When it comes to making difficult decisions about what to do or not to do and when to do it, things become hazy real fast.

On the street it can get you killed. In the workplace the worst is usually termination of a different sort.

And sometimes it’s hard to know what side you’re on.

Stratfor, Comodo, RSA and HB Gary all make a living securing other organizations, yet became targets themselves over the past year. According to public opinion, each of them became targets because of who they were – yet they became victims because they didn’t practice what they preached.

On top of that, each made bad decisions while under duress, whether it was latent customer communications or weak security remediation.

Friday’s press release in Albany was chaotic for a number of reasons. First, neither side had all of the necessary information and assumptions were made by both sides about what had happened. We saw this happen to RSA and the other victims in the court of public opinion, as well. It’s tough to know who’s to blame.

What we do know is that a young man is dead. And intellectual property worth hundred of millions of dollars was compromised. These are indisputable facts. Despite lengthy investigations, this may be as close as we ever get to the honest truth in either case.

There are no absolutes in our business.

Those committed to providing honest, effective security will work tirelessly to perfect their fundamentals and plan for the unexpected. Like good public defenders, good security providers will posess strong situational awareness, true aim and flawless decision-making ability.

Great security providers will be able to do all of that while taking enemy fire.

Advertisements

Tags: , , , , , ,

About regharnish

CEO of GreyCastle Security

One response to “Life or Death Decisions in Information Security”

  1. rascai says :

    According to Digital Trends, “the problem with being Anonymous, and decentralized is that one hand doesn’t necessarily know what the other hand is doing-or saying.” The Strategic Forecasting attackers claimed to be from Anonymous, and said they obtained passwords and credit card information from approximately 4,000 individuals that were on the “Stratfor” private client list. However, a separate statement form Anonymous denies responsibility for the breach. At this point (for Stratfor), is it really important as to “who” perpetrated the attack, or should the focus be on “how” it occurred?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: