The recent Symantec source code incident brought to mind a challenge which I face in my work day to day. How far do you analyse risk or more importantly the scenarios where risk can be found?

Symantec are, understandably, playing down the incident of the compromise of an indeterminable amount of its source code. I use the word indeterminable because it is. No one really knows exactly what was compromised and it’s the lack of knowledge of all the facts that makes down playing such an incident more of a PR exercise. It’s the type of assurance designed with everyone else in mind rather than a security or risk management professional. Trust me I’m a doctor springs to mind!

So whilst the press is reporting the official line, something that your CEO, MD or other manager are listening to how do you break the news that there are always two sides to the story. And as an information security professional your side of the story needs to take a balanced one incorporating risk. In this case the risk of both the known and the unknown. And in the Symantec situation there are plenty of unknowns at this stage.

I don’t want to labour on the “knowns”, they’ll be plenty of blogs and articles from others that do, my question is how far do you analyse the unknowns? Or do you leave them alone?

When faced with a situation where it’s in a vendors interest to play down a security incident, which could reduce the integrity of their product and/or service, does this damage the relationship of trust between both parties? Does the lack of facts and analysis leave you equipped to make informed decisions about the risks? Or does the trust between both parties mean that you do as the proverbial doctor says and just trust them
I know that I’d like to say that I’d go with the later. However as an information security professional I learnt very early that assuming something’s secure or ok just because someone says so just isn’t an option. You need to know why? What’s the evidence? And managing information security risk within your supply chain is no different. Even if the supplier is a leading vendor of security software.