2 Comments
User's avatar
Interisle Consulting Group's avatar

Thanks for your post, https://www.threatswithoutborders.com/p/threats-without-borders-issue-294/

FWIW, the comparison between disease and identity theft works well enough. There's a danger in only fixing the blame on technical (operational) failure. One could argue that operational failure is itself a symptom of a different disease: lack of accountability. Most orgs only spend on secure operations what is necessary to satisfy a nominal risk tolerance (which includes liability, which is itself typically a low risk proposition). "We meet the industry recommended practice" may be a defensible argument but if you can fall back on this, what's the incentive or motivation to do better?

Matt Dotts's avatar

Great point. As far as "We meet the industry recommended practice", whats the saying? ...compliance is not security.