Don’t ask me, ask that guy over there.
It occurred to me the other day that while it’s always fun to talk security with analysts (hell, who doesn’t like being asked for their opinion?), they probably shouldn’t be talking to me. Or at least, they shouldn’t be talking exclusively to me.
The security community is a pretty self-selecting group. If you only interview people on Twitter, people who blog about security (or comment on those blogs), or people who go to security conferences, you’re not getting an accurate picture of the security landscape. You’re ignoring the vast majority of people who are responsible in some way for the security of their networks, but (a) don’t know it, (b) don’t care, and/or (c) don’t have the knowledge or management backing to do anything about it.
How many organizations out there consider data breach notification laws to be completely irrelevant to them? Not because they aren’t applicable, but because the organization’s security state is so abysmal that they wouldn’t know a data breach if it sent them a strippergram with their own money? How many are falling through the cracks of compliance because they’re too small, in the wrong industry, or simply trapped in the security ghetto? How many are not in Verizon’s breach database because it would never occur to them to call?
On the one hand, the answers will probably make you depressed. On the other hand, those of you who are lusting after accurate data will probably regard anything that expands our state of knowledge as something to be pursued. We need more outreach—not for the sake of selling more security widgets or services, but simply to bridge the security divide.
Posted by shrdlu on Sunday, December 27, 2009
(3) Comments • Permalink •
