Thursday, January 13, 2005

Does Profit Motivate Security?

On one side of the pond the US has Checkpoint saying they would love to explore the idea that thousands of customers have had their sensitive information stolen. But they won't because regulations don't compel them to.

On the other side, France has found a security expert (hacker) guilty of patent violations after he posted detailed information proving the existence of a security flaw in a piece of software.



Can companies be trusted to admit when they have severe flaws that puts your information and business at risk and be trusted to release a fix in a way that your urgen security needsa are met?

Or do we need town criers pointing the finger to put pressure on?

If you were running a company and you discovered your customer's personal information was stolen or could be stolen, being the concerned small business owner that you are would you run straught out and alert everyone so they can protect their assetts?

Or - remembering you have investors or stockholders, remembering there are still some sales that haven't been completed yet and knowing the bad publicity will affect your business - would you wait until you have a solution to present it? Or would you quietly fix it?

These aren't imaginary questions. Each one has been played out again and again. Chances are, whatever software you are using to view this page has bugs ranging from security to typos. A priority has been put on it and it might be fixed.

And, being the honest person that you are, didn't you hesitate for a moment cnsidering what to do if this were your business?

Imagine how hard it is for some well meaning person who explains the situation to the CEO, CFO, marketing, legal, sales and other members of the company.

Being so well meaning, imagine the cold hearted stereotpye corporation that simply wants a high stock value and high profit margin.

As a customer, do you want your personal security and privacy handled by the marketing and legal department?

And, if you want to know, is it worth allowing people to investigate on their own and report it at the risk of a company not yet having a fix according to their schedule and priorities?