It's interesting that you should point out that this was mainly an auditing and compliance problem, and then mention Enron, which was much the same. In Enron's case, concern (and legislation) has been raised over the conflicts of interest which prevented the auditors from doing their jobs adequately. Rumour has it that this may also have been the case with Card Systems; certainly it seems to be the case with a lot of other IT security audits.

So perhaps the solution will be similar too. When IT security audits are mandated, then as a matter of good corporate governance they should be performed by an independent party which is strongly motivated and empowered to uncover faults. Naturally few companies would want to subject themselves to this sort of scrutiny, so it must be legislatively mandated, too.

By the way, concerning the security consciousness of bank IT people. I have worked with some bank IT people, and received detailed technical reports by or about others. It's a pretty mixed bag, same as everywhere. Some companies really are formidably good, others are very mediocre. The one thing they do all do well is the cornerstone of banking however; the ~appearance~ of security.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/343/32209#32209