If you’re in the business of providing IT services to customers, ignorance of good security is negligence!
Talking today to a very successful business that came from the bricks and mortar ranks a few years back and now 90%+ of their business is online: the worry and real concern on management’s faces as to why they are now in a pretty scary position really made angry about so many “IT” businesses who supply “IT” services to these types of businesses.
Sometimes I am hard on the businesses themselves (and they deserve it), but there are times where they just do rely, depend and trust people in our profession to do the right thing by them….and they don’t!
What blows me away is:
Outsourcer/service provider first responses to the business when we get involved and educate such businesses on the risks their business faces:
1. Well you did not ask for that. We just gave you hosting and/or developed your application like you said you wanted.
2. Oh, if you wanted something secure, well, you should have told us. We can do that but it will cost you extra. Remember this one?
BULLS**T! We’re not living in the 80’s and 90’s anymore. If security is not ingrained into the services you provide as default for business, you have no business being in business! If it wasn’t for looking after the confidentiality of our clients, I would name the blatantly negligent IT “service” companies that we run into. We’re in 2008 now and there’s no excuses for not understanding security. Clients keep your business running and if you are not doing the right thing by them you deserve to lose them all.
We, I, SG will never hold back on our thoughts to the client on what we think of your “service”.
Where’s my valium? Signing off.
April 22nd, 2008 at 7:15 pm
Responding to myself as more comes to mind:
You need to have some form of certified training to fix a car, do electrical work, build a house etc etc. A business needs to or rather knows it should engage and spend good money on CPA’s and/or Chartered Accountants for their books and qualified legals as an example to ensure what they as a business is doing, is right, but when it comes to IT, every good thing done can go to crap, including the business itself by handing over responsibility AND accountability to a backyard operation whose marketing and expertise levels do not equate to each other. Guess which way?
Serious question and statement: should business engage the security consultancy / specialists first before anyone else gets involved?
DD
April 23rd, 2008 at 9:10 am
Totally with you dude. I think “no” on security consultancy before getting a dev company to start work, but what *should* happen, is that security stuff should be part of the quote from the dev company.
I know we all say ‘build security in’ etc, but still it’s part of the dev process and it can either be included or not, and if we quote it seperately, or at least as sub-items, people can be more aware of why something with us - a nice security-minded-dev-company - costs more then with Joe and his mates at Slackers-r-us [compare the quotes].
What you could have is dev companies engage consultants to help with the quote, or even be a part of the quote.
This process could be described somehow and we could push it out there as a new way for dev companies to do their quoting.
April 23rd, 2008 at 2:35 pm
Oh my goodness… you’ve gone and done it now haven’t you.
Metrics, Standards and Certification vs Paper Certification vs Sliding Windows….
What other “discipline” changes so fast and evolves? What would you look for if someone was genetically engineering your new child and promising X functionality, however was “crackable” via new biotech advances? Would you seek insurance? Would you look for certification? Would you look for a demonstrated track record and then hire an independent auditor? How many people could verify the gene sequence was robust?
Stream of consciousness over. Is regulation the key? Does the nature of maths, profit and loss, or materials science really change that quickly? Does Newtonion physics and tolerances change that often? Nanotech, human/machine interfaces, quantum physics etc will face the same problems with ubiquitous usage. Sentient attackers and abstract esoteric sciences that few can exploit and realise the level of interconnectedness
April 23rd, 2008 at 2:47 pm
no; regulation is not the key.
April 27th, 2008 at 5:50 am
If my SLA’s are good enough DD, we win anyway as you know~
April 27th, 2008 at 6:31 pm
@SLAMAN, SLAs are important/key but some aren’t worth the paper they are written on. Interpretation can be a killer and are you getting something special or what you think you are getting. Sad analogy :-): A while ago, McDonalds had an advertising campaign proudly stating their beef was “Export Quality”! Sounds great - it must be good if it’s export quality but gees, I’d be concerned if it wasn’t. What would we be eating if the rest of the world did think it good enough for their consumption?!
Now McDonalds tell us they “make” their burgers for us to order! What’s your interpretation of that? Mine is that that means they cook the meat first after you place your order and then when done, they add the rest of it to it. They don’t….they pull out pre-cooked patties from a tray in a warmer and stack it on bread etc. So their interpretation of making a burger is putting the pieces together. (Since this has started, most of the burgers I have had, have not tasted as fresh as ones you might fluke beforehand coming out of the kitchen).
Interpretation is key so while contracts may be in place to provide “security” - unless SLAs dive into details to ensure everyone agrees and has the same interpretation, you could end up worse than before.
@Silky - yeah…am probably pushing it to far but involvement has to be there in some form from the outset as you discuss.
@D2 and Silky - eventually regulation makes people do what they maybe should have been doing anyway. I haven’t seen any infosec focused regulation not improve things.