Part One of a Conversation with Patrick Dennis, CEO of Guidance Software
Last week, I had the chance to sit down with Patrick Dennis, CEO of Guidance Software, during Enfuse Conference 2017. The bulk of our conversation revolved around a topic that Dennis considers very important yet under-discussed – the relationship of private versus public sectors, particularly when it comes to the jurisdiction of security events.
Think about what happens when a company suffers a data breach or is the victim of a ransomware attack. Almost always, Dennis explained, these events include someone outside of your company’s local law enforcement jurisdiction. As he put it, if there was a potential cybercrime committed against his company in Pasadena, it’s unlikely that it was generated by someone in Pasadena, or in California, or even in the United States. And the minute something is happening to a company inside the U.S. that is committed by someone outside of the U.S., it becomes an FBI matter. He continued:
By the time you’ve gone that path of crossing borders and contacting the FBI, the likelihood that you’ve set off an internal set of controls that says you should be notifying your customers is very high.
Instead, companies too often try to handle these issues on their own, and that’s not effective, either. Rather than just solve the security incident, companies also have to figure out how to manage the negative public relations and legal issues that follow these events. Because of the way the system is set up to handle cybercrime, Dennis said, the adversary – the actual criminal – rarely suffers consequences. But there are almost always consequences for those trying to do the right thing.
The problem is that the application of justice and the basic rule of law aren’t being applied to digital. As a result, criminals and adversaries are going unchecked. Also, those who are empowered to deal with justice and the rule of law aren’t able to deal with cybercrime effectively. In our conversation, Dennis listed incidents that he is disturbed about – breaches that steal medical and personal data, the theft and abuse of intellectual property, and the growing number of small attacks against the critical infrastructure – but he said what disturbs him most is that when these incidents happen, the police never get to show up:
If someone came and tried to commit a crime in my house, and I called the police, they would come to my house and try to rectify the situation. The same would be true for my company. But who do you call when there is a cybercrime?
How does Dennis think we should approach cybercrime’s law enforcement jurisdiction? Tune into Thursday’s blog post for the second part of my conversation.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.