[Dataloss] Article: An Inconvenient Lack of Truth

[lyger]

http://www.darkreading.com/document.asp?doc_id=150276&WT.svl=column2_1

When I graduated the University of Colorado with a history degree, I was 
fairly certain it would only be marginally more useful to my security 
career than my unofficial minor in molecular biology. Sure, I'd get to mix 
in analogies about the Maginot line and antibodies, but you can't swing a 
dead PowerPoint without hitting those two.

As with many things in life, I was wrong.

When I began my career in information security, I never imagined we would 
end up in a world where we have as much need for historians and 
investigative journalists as we do technical professionals. It's a world 
where the good guys refuse to share either their successes or failures 
unless compelled by law. It's a world where we have plenty of information 
on tools and technologies, but no context in which to make informed risk 
decisions on how to use them.

[.]

While we have no shortage of breaches, we face a dearth of good 
information. I've spent countless hours combing through every piece of 
public information on breaches, both major and minor, to determine 
consistencies, root causes, and effective defensive techniques.

I've learned how we learned exactly the wrong lesson from the breach at 
Egghead.com. I've learned how the failures at ChoicePoint were a business 
decision (that the CEO lied about on record), not a technology failure. 
I've learned how all the statistics we use are wrong, and are desperately 
manipulated by the vendor community to sell us products we sometimes need, 
and often don't.

My research leads to some conclusions that may be unsurprising, but often 
ignored:

[...]