Robert Mullins posted an interesting article this week highlighting the tension between people who warn of impending danger from information security threats …

“Mark Bregman, chief technology officer of security company Symantec … spoke at the first-ever NASA IT Summit and said the space agency is ideally suited to promote global cooperation among nations on cybersecurity. … ‘There’s an urgent need for diplomacy to kick start international cooperation on cybersecurity,’ Bregman said.”

and people who think InfoSec vendors are just fear mongers seeking to sell products …

”comments that followed Montalbano’s story suggested Bregman was hyping the threat for the sake of Symantec sales. “See, Symantec created the panic so as to sell its products,” wrote one. “If Symantec is not the one starting all the cybersecurity mess, the whole world would be much more peaceful,” wrote another.”

As an employee of an vendor of InfoSec software, as a student of the technology of security and as a private citizen concerned about the potential for international terrorism, I tend to side with those who point out our immense vulnerability.  I hope that our technology can help combat the real-world threats that exist.

I hope the world is not lulled to passive inactivity by those who are skeptical of such threats.

Thanks to Network World for inserting a link in the middle of Dave Kearn’s article, leading to an intriguing slide show, “10 Worst Moments in Network Security.”

Ranging from

“Digital Equipment Corp. marketing guy Gary Thuerk gets technical assistance to send what’s regarded as the first ‘spam’ message to thousands on the government-funded Arpanet”

to

“Societe Generale, the large French financial services firm, discloses that one of its low-level options traders, Jerome Kerviel, has committed stock fraud worth an astonishing $7 billion, the largest in history traced to rogue trading.”

this slide show provides a somewhat nostalgic, but provocative view of bad stuff happening out there in cyberspace.

Dave Kearns of Network World posted a thought-provoking article today,  “Data breach demonstrates need for access control policies.”

Highlighting a case where a tax collector in British Columbia, Canada, used government computers to look up “private tax files of hundreds of high-income individuals, apparently in the hopes of hitting them up for a business she ran on the side,” Dave observed:

There are so many things wrong here.

1. Why weren’t controls in place to prevent, or at least raise a flag, when an agent accessed files randomly? Were they at least audited?
2. Why did it take four years for someone to realize that there were shady dealings going on?
3. How did CRA determine the "risk of injury"?
4. Why aren’t the affected parties notified whenever there’s a breach?

In light of increasing government regulations covering data breaches, and hard evidence that the number of data breaches continues to grow, companies can be well-advised to

“review your governance, oversight and access control policies now — before your organization features prominently (and ashamedly) in a newspaper headline!”