18 May, 2016

Evidence of Absence — Starting Up Security — Medium

Evidence of Absence — Starting Up Security — Medium:


It’s impossible to prove that you haven’t suffered a security breach.
For instance, Google can’t prove that an adversary isn’t reading your email *right now*.
This is not a criticism and is unfair to hold this fact against any company.
Here’s why:
A security team can only describe their efforts to prevent and detect an intrusion. This strengthens their Evidence of Absence. Evidence of absence is weak. However, it’s how everyone trusts everything:
I trust that the measures you’ve taken prove the absence of a security breach.
This trust is undone completely when a breach is discovered.


'via Blog this'