Event
Summary
Earlier this year, some private industry security experts, in conjunction
with SecurityFocus.com, identified and exposed the security vulnerabilities
on Standard & Poor's Comstock boxes. TEC published the
story of this security faux pas earlier this month. After the story
was published, Standard & Poor's announced a certification program dubbed
Security Circle Program. The timing of the announcement
is uncanny enough to make users question the motivation of the announcement.
Market
Impact
In a recent press release, S&P said that, "Standard & Poor's Security
Circle Icon identifies those companies that have voluntarily undergone
Standard & Poor's most stringent analytical review." When Standard & Poor's
own security track record is sub par, it is going to be hard for any savvy
users that have done their homework to take this certification seriously.
User
Recommendations
The fact that an organization is doling out security certifications, does
not mean that they understand security. The best way to judge if an organization
really understands security is by their track record and references. Security
is complex, and even the most careful of companies are at risk.
Rolling
out a security certification program, after having egregious security
vulnerabilities exposed, tends to provoke a lot of questions. Astute users
would naturally wonder if this wasn't a marketing ploy to "make clean"
a tarnished security record. If it is a marketing ploy, it's the wrong
approach. If it's not a marketing ploy, it's an incredibly poor choice
of timing. If S&P has a valid and robust security certification to offer,
their program will reap more clients if they can first prove that they
understand how to secure and certify themselves, and their existing customers.
What
is the best thing a company can do when it has made an egregious security
mistake? How can a company restore its tarnished reputation? The best
way is to admit the mistake, apologize for it, and detail a plan of action
that they are taking to recover from it. The recovery plan should prevent
like incidents from happening in the future. Detailing the recovery plan
to analysts and current customers can only help build a credibility case
for improved security in the future.
Make
sure you understand the motivation of security certifications before accepting
them as truth. The best kind of certification is one from a distant third-party.
Even then though, savvy users will ask the question, "Is there anyone
from the distant third-party company sitting on the board of the certifying
organization." Being aware of potential conflicts of interest is a way
for companies to protect themselves.