There are some interesting events and decisions happening in the restaurant, finance, and healthcare industries. These and similar events of course affect any companies in other countries such as Canada with international customers in these industries. A part of me hates to say this, but these data breaches are a good thing. Breaches force laws which in turn force companies to spend appropriate time and monies on security research, secure software development, secure network architecture, secure deployment and proactive monitoring that should be done. It puts financial and legal obligations on private companies, which causes the risk factors to change when assessing security. Far to often, security is one of the first things to be ‘adapted’ when costs get higher than expected or time lines become critical. If you ask any company they will say security is a primary consideration at all points in the development and release process and in some cases they are being truthful. However, in many cases the minimum bar with security needs to be raised significantly. Simply running your code through some basic buffer overflow checks, installing a IPS or firewall, and checking off your ITIL checklist is not enough, not even close.
The private sector has a long way to go with security in software development, network infrastructure, and international laws. Security breaches force laws and public scrutiny, which in turn holds corporations and individuals accountable. They are a catalyst which unfortunately I believe is necessary for appropriate change to occur in this area. What I sincerely hope is that these and similar events cause large corporations and software vendors become much more proactive when it comes to security than is currently the case. If done properly and pro-actively, less government regulation will be required. I believe the choice as to how this plays out is with the private sector. If private sector companies continue doing the minimum, than I suspect regulation will eventually be forced upon us. I hope that too much regulation is not required.
Does your company lessen security requirements due to costs or project time-lines?
