Why do they never learn? (Skype outage IS security)

Submitted by Kai on Tue, 2007-08-21 10:55.

There has been a lot of buzz around the Skype outage lately. Skype is saying this is not a security problem, and the industry is not totally agreeing.

IMO, this is a typical security event. Not IT-security perhaps, although it might be as well. It is about information security in the broad meaning. It is about service quality. About reputation. About business continuance. And most of all - it is about respect of the customers.

To me this is all very simple.

You set a goal (Skype: global leader of VoIP - or any other hairy goal).

You determine your strategy to get there (Skype: Free for all, add paid services, high quality, P2P).

You analyze potential risks that may get in your way (Skype: Competitors, lack of bandwidth, SERVICE outage - local/global).

Review the probability and potential costs of each risk (Outage: loose customers short and long term, loose credibility, loose revenue).

Set up countermeasures relevant and adequate to the risk and its impact (Outage: back up power, backup Super-nodes, different location and NICs).

Prepare a PR&info-plan for each possible (and unlikely) event (Skype: make sure you know what happened. Never blame anyone unless you can prove it. Prepare one story, stick to it).

Voila. There you have it. This is not rocket science. It only takes a little care, a little planning and a little sense. Add a violent fantasy, and an open mind, and you will be getting a pretty good list. It most likely will never be able to cover every aspect out there. But it sure will help you when disaster strikes - because you are prepared.

This list only uses Skype as an example. It is not conclusive, only covering a few possible areas, and speculating as to the relevant Skype issues.

If you turn the table to the users - they need to do the same homework. Some 30% of Skype users use it for workrelated communication. How do they experience this type of outage?

This is all about security. Securing the continuance of the company. Securing the trust of your customers. Securing the future, revenue stream and profit.

After all, you are in it for the money - make sure you protect your assets!

 

---------------------Edit:

I just came by this post by David Whitelegg CISSP CCSP (what a name, huh? - Pun intended). It pretty much sums up how to treat security IMO. 

Definition

Submitted by Kai on Tue, 2007-08-21 15:19.
Hi Andy, thank you for your good point. It is all about how we define security. My mission is to get management to understand security - and they simply do not care about the technology - they need to be taught the business relation of the topic.

It is strange how much we have agreed lately!

If you do not know Andy yet - do take a look at his blog! Well worth it, IMO.

Good Point

Submitted by Andy ITGuy (not verified) on Tue, 2007-08-21 13:57.
Kai, I agree that too often we don't see the security side of an event. If security is CIA, then no Skype is a security event. No availability. I know that in the truest since this isn't a security event, but it does plan into security for some companies depending on their use of the product. But I think that in order to truly be secure we have to look at everything from a security mindset.

Recent comments