Standard & Poor's Announces Security Certification




Standard & Poor's Announces Security Certification
L. Taylor - July 31, 2000

Event Summary

Earlier this year, some private industry security experts, in conjunction with SecurityFocus.com, identified and exposed the security vulnerabilities on Standard & Poor's Comstock boxes. TEC published the story of this security faux pas earlier this month. After the story was published, Standard & Poor's announced a certification program dubbed Security Circle Program. The timing of the announcement is uncanny enough to make users question the motivation of the announcement.

Market Impact

In a recent press release, S&P said that, "Standard & Poor's Security Circle Icon identifies those companies that have voluntarily undergone Standard & Poor's most stringent analytical review." When Standard & Poor's own security track record is sub par, it is going to be hard for any savvy users that have done their homework to take this certification seriously.

User Recommendations

The fact that an organization is doling out security certifications, does not mean that they understand security. The best way to judge if an organization really understands security is by their track record and references. Security is complex, and even the most careful of companies are at risk.

Rolling out a security certification program, after having egregious security vulnerabilities exposed, tends to provoke a lot of questions. Astute users would naturally wonder if this wasn't a marketing ploy to "make clean" a tarnished security record. If it is a marketing ploy, it's the wrong approach. If it's not a marketing ploy, it's an incredibly poor choice of timing. If S&P has a valid and robust security certification to offer, their program will reap more clients if they can first prove that they understand how to secure and certify themselves, and their existing customers.

What is the best thing a company can do when it has made an egregious security mistake? How can a company restore its tarnished reputation? The best way is to admit the mistake, apologize for it, and detail a plan of action that they are taking to recover from it. The recovery plan should prevent like incidents from happening in the future. Detailing the recovery plan to analysts and current customers can only help build a credibility case for improved security in the future.

Make sure you understand the motivation of security certifications before accepting them as truth. The best kind of certification is one from a distant third-party. Even then though, savvy users will ask the question, "Is there anyone from the distant third-party company sitting on the board of the certifying organization." Being aware of potential conflicts of interest is a way for companies to protect themselves.

 
comments powered by Disqus