Adam, I suppose we’ll cordially need to agree to disagree.
First, let me reiterate that I am usually for a more open style of disclosure and but I believe that breach disclosure should be done in a grey box fashion, not a translucent one.
That said, there is a difference in describing operations from a pragmatic perspective and a security perspective. I agree with Adam that describing one’s operations from a pragmatic perspective (“This is how we use Six Sigma”) may not erode one’s competitve advantage.
But security operations are a different ball game. Perhaps my using the term competitive advantage was not correct. What I mean is that it’s more along the line of disclosing sensitive operational information. As security professions we are adverse to leak any information pertaining to operations and I view breach disclosure in the same way. There was a point when security professionals were afraid that posting technical job requirements for new positions on monster.com would leak information about the internal systems used in a corporate environment and give the attacker information.
Just as we have and understanding of responsible disclosure now for technical information security vulnerabilities, we need the same for breach disclosure.
If not through a centralized (not necessarily government) body Adam, what do you propose that would allow for better, more accurate and confidential disclosure that does not leak sensitive information?
Didn’t you cite the Ontario/British Columbia breach notification form (here, here) in your presentation? Aren’t these forms from a government agency that entities must report to? I read through these forms and no where do the forms request technical security information as detailed as those released in the TJX 10-K.
PS – My biggest take-away from the TJX case was that the cost of the breach was about $5 million dollars or $0.01 loss a share. This is a far cry from the $1.7 Billion price tag reported by some media outlets.
Popularity: 3%
3 Comments
The $5million is *so far*. I wouldn’t be surprised if the final number reported exceeds DSW’s $45 million cost-of-incident as reported in their financial statements.
Of course, even then it’s not particularly significant in terms of business impact. $50 million is nothing to sneeze at, no, but it’s all relative when you’re talking tens of millions of dollars to a company that profits $250 million a quarter. Looking at other recent charge-offs for TJX and the cost of the breach seems to be an acceptable business risk.
North Carolina requires centralized reporting, as does NY. NC’s reporting form asks:
I don’t see a big deal with this.
I have a bunch of NY docs here:
http://www.cwalsh.org/BreachInfo/primary_sources/firmlist.html
Folks can see for themselves what has been reported. IMO it is helpful but inadequate. NC is better in what they ask for.
A slight debate has erupted over Adam’s presentation “Security Breaches are good for you” which makes it a success. Of course, Adam means good for the rest of us, not the victims. One can consider two classes of beneficiaries to breach information:
1. The direct Individuals concerned. …