Haydn Rees

Cheltenham

IT Professional

How do you make the leak law cheap to police, and make companies do all the right stuff and only the right stuff?

Reward admission, and penalise silence.

The Company is liable under Civil Law for the cost of Credit Card Fraud arising from the theft of data.

The Directors are Criminally liable for silence. The clock starts when the breach is discovered. The clock stops when; the breach; the Impact Mitigation Plan; and the Lessons Learned Log are published.

That's right; the only way to make this a priority is to make the most important question "Will the CEO and the CIO share a cell or have adjoining cells?" Poridge.

They will start paying for the sort of regulated White Hat Penetration Testing Industry we desperately need, to ramp up (ISC)², CISSP, SSCP, CBK, etc.

Defensive Security training needs to be under much more fierce evolutionary pressure that is the case currently. Stop putting your hands over your rears, closing your eyes, and shouting "La la la la la" whenever anyone suggests security gets cracked. Do something useful about it.