by Mike Masnick
Mon, Jun 8th 2009 8:32pm
We were just discussing if a security auditor should be liable for giving a company a passing grade if there's later a security breach. Considering that it's pretty much impossible to be perfectly secure, and there were always some things that could go wrong, it seemed like a bad idea to hold auditors liable, except in situations where there was obvious fraud or gross negligence. And now, there's evidence that security professionals may try to trick auditors, raising even more questions about why auditors should be liable. Michael Scott points us to the news that a recent survey of security pros found that 20% admit to having cheated or knowing others who cheated in order to pass a security audit. Now, the phrasing can be misleading -- by saying that "they did or they know someone who did" it could (in theory) just be one guy who cheated... who happens to know a lot of other security professionals. So, it would certainly require a bit more research to determine how widespread the cheating is. It's also not clear how many times the cheating occurred. If it's every audit, that's one thing. If it just happened once and the issue was fixed, that's quite different. Still, it's more evidence that you can't just blame the auditors -- especially when the security pros at the company may not be completely truthful in providing info to the auditors.
If you liked this post, you may also be interested in...
- Newsflash: Car Network Security Is Still A Horrible, Very Dangerous Joke
- Verizon Support Wants You To Know That Twitter Is A Perfectly Secure Way To Send Them Your Social Security Number
- Marital Infidelity Site AshleyMadison Hacked, But Claims No One Should Worry Since It DMCA'd All Leaked Copies
- Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable
- DHS Head Jeh Johnson Recognizes The Privacy/Security Tradeoff, But Seems Unlikely To Make The First Concession