Why Due Diligence as a Defense is Not Enough
by Carter Schoenberg - CISSP - Second Chairs - Monday, 28 March 2005.
Corporate executives love two words, “Due Diligence”. Unfortunately, this is only half of the required formula for meeting the requirements under “Standard of Care”. It is startling when such a large percentage of these executives fail to grasp the concept and legal liability imposed under “Due Care”. Due care is the second half of the formula and equally as important. For without it, the standard of care can not be measured. Performing Due Diligence shows you where your risks lie, due care is exercising the requirements discovered under due diligence to protect or mitigate exposure from those risks.

While businesses have invested in technologies such as firewalls, intrusion detection, and now intrusion prevention, we are all too familiar with FUD (Fear, Uncertainty, and Doubt). How many presentations have you attended in the last six months where a security service provider discusses “Code Red”, “Nimda” or “Slammer”? The most recent of these is now two years old. So why are we still discussing them? One word, “fear”.

Fear of what exactly? Some might respond with, “Distributed Denial of Service (DDoS) attacks, Identity Theft, or the theft of intellectual property”. All of which occur. What are the odds of it happening to your company? Better than 60% of all US businesses face civil litigation at least once in the course of their operation. According to the FBI, approximately 85% of businesses surveyed in the United States last year reported a financial loss attributed to computer/cyber attacks. With decision maker’s core focus revolving around the types of attacks and if they originated from the outside or from within, perhaps you should turn your focus on the ramifications after the attack rather than the attack itself.

It seems almost daily that a news report highlights some form of a security breach. This barrage of reports helps the FUD factor. So, is the FUD factor justified? To an extent, yes. However, is our focus in the correct area? No! If you take vendor bias out of the equation, the one common denominator in preventing potentially negligent action is understanding “what” you do is more important than “how much” you spend. Obviously a cost is associated with security. Since security usually falls under the scope of risk management, the transference or acceptance of risk is more commonly understood than the ramifications of these same risks acting as the catalyst for civil litigation.

A common complaint from middle level management is not enough buy in from upper level managers. Even with the FUD factor in play, many maintain since court cases are not plastered all over FOX or CNN, that lawsuits in this area do not take place and therefore, the actual risk is more qualified than quantified. What any experienced attorney will concur with is that non-disclosure is commonly used in the terms of settling a lawsuit. This protocol is what keeps a lawsuit out of the public eye, not the lack of occurrence.

President Bush has set forth an initiative for tort reform. Just recently in Georgia, medical physicians are limited to a maximum of $350,000 per claim where before claims in the millions were very common. Even with tort reform in place, civil lawsuits will continue to take place. Are you ready for court? Is your CEO or President? Think so? As a result of incidents from Enron and Tyco, it should come as no surprise to business executives that security and networking personnel have a duty to document transgressions that can lead to a breach or fraud. If your networking manager provides the CIO or CEO information to support the need for enhanced security and it is denied, it should be incumbent on this same individual to say, “I understand. I need for you to sign here acknowledging that you were advised on this issue and declined my recommendations.”


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th