It's (really not so) Good to be the King !
Posted by John Verry on Tue, Jan 12, 2010 @ 04:49 PM
With apologies to Mel Brooks ...
As a firm that performs security assessments we are pretty familiar with dealing with sensitive data and go out of our way to handle our client's sensitive data appropriately. We recently finished an engagement where we identified flaws in an extranet business application that exposed sensitive Personally Identifiable Information. We encrypted the report and sent a one-time HTTPS link to the document and left the password for the doc on the client's voice mail.
An hour later the client's Director of Information Security forwarded a non-encrypted email to his internal team, the (outsourced) application development team, me, and the Application Server vendor's tech support -- detailing our exploit.
When I "politely" mentioned to him that forwarding the information in an un-encrypted email to a broad audience had put them at risk and violated their policies (which we had signed at the project outset), he fliply replied, "It's good to be the king."
We had lunch together today and he almost immediately revisited the subject and acknowledged it as a mistake that he had reviewed with the impacted members of his team and vendors.
I was relieved -- as the single greatest predictor of an organization's security posture is the "tone at the top".