By the time you read this tomorrow, you’ll probably already be aware that Google, because of broad, sophisticated, targeted attacks, will stop censoring its searches in China and will consider pulling out of the country altogether. http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
I dont know any more than anyone else about this, but it highlights something very important that I think gets lost in a lot of our security discussions:
We’re all at risk, there are active threat actors, and state of the art doesn’t work. While I’m sure Google isnt perfect in the internal security arena, I can’t help but think it makes an above average attempt at security and uses some very bright people. For them to be attacked in such a way that it makes them reevaluate their business strategy in a market as large as China’s, it had to have been some pretty nasty stuff.
It makes you wonder – or it should. How does that bode for the rest of us arguing about putting in half-assed security controls and using 10 year old security architectures and paying lip service to security because we don’t really believe in the threats?
And, by the way, executives, this is your issue, not ours. How -could- your business be negatively impacted by compromises? Reductions in service? Lost data? Have you thought about that? Have you made those operational requirements? Have you looked beyond compliance to “security”? Maybe you should. Then tell us how you want to play it, and we’ll build it for you.
(Hey, while youre here – Im getting a ton of hits on this – check out the t-shirts for sale, yeh? Theyre pretty cool ;) http://zazzle.com/sintixerr )