Would you buy a car without seat belts?

Recent headlines said, “Network ransacked in huge brute-force attack” (Source: The Register) and Hackers break SSL encryption used by millions of sites(Source: Huffington Post) among many other security and privacy news that fill the news outlets every time I look and listen.

The problem is not some new phenomenon, but one that continues to repeat itself again and again throughout human history. Complacency, deregulation and a lack of oversight repeatedly represent the 1-2-3 knockout count for organizations. We have everything we need to fix the fundamental problem and that is by using an alternative 1-2-3 knockout count through governance, technological control and vigilance.

Through governance, basic rules and requirements are established; through technological controls, a steadfast mechanism applies governance without bias and finally, through vigilance, these processes, procedures and controls are tested.

Just like a modern automobile has standard safety equipment such as seat belts and air bags; modern business and consumer applications and supporting technology have security components that come standard. Some people may choose to not wear those seat belts and eventually end up head first through the windshield and in the morgue as a result. The same is true of your business and consumer technology. If the security components are not used properly, a breach or privacy invasion with ensuing litigation or identity crisis is sure to follow. The end result may very well be the bankruptcy morgue.

As a corporate consumer, how do you verify that everything that can be done to protect privacy, security and intellectual property is in place and functioning correctly?

One method is to look for independently verified, internationally recognized, certifications of those control environments certified by reputable organizations. One such certification for commercial organizations is called the SSAE 16, otherwise known as the Standards for Attestation Engagements Number 16, which is an internationally recognized third party assurance audit designed for service organizations. It is also the international standard that replaced the now defunct SAS 70.

Before you form a relationship as a corporate consumer with any service provider, make sure they are SSAE 16 certified or have some other credible form of certification validating that their products and services have been independently scrutinized. Leave nothing to chance. Build into your SLAs language that promotes security and privacy.

As a private consumer, how do you verify that everything that can be done to protect your personal privacy and security is in place and functioning correctly? Our current consumer environment is generally business friendly which is not conducive to security or privacy. Some suggestions I would offer are to actually read the privacy statements associated with your vendor. Opt out of as much data sharing and profiling as you possibly can otherwise your “anonymized” identity will be sold to the highest bidder. Keep all of your personal applications fully software patched and use current security software suites that come highly rated. Understand your rights as a consumer even on free service sites such as Facebook, Gmail and countless others. You wouldn’t buy a car without seat belts would you?

Article first published as Would You Buy a Car Without Seat Belts? on Technorati.