In cybersecurity, what do Due Care and Due Diligence truly signify?

Engineering
In cybersecurity, what do Due Care and Due Diligence truly signify?

As the Information Security Officer in an organization, it is your responsibility to secure system or sensitive information and protect against vulnerabilities - or as I like to call it, “keeping the bad guys out.”

There are a few different scenarios that could lead to a failure in security:

  • You may not be aware of vulnerabilities in the system. (Oops!)
  • You may be aware of vulnerabilities but have not taken action to address them. (Come on, it’s not that hard!)
  • You may not have received support from management to implement preventive controls for vulnerabilities. (Well, at least you tried!)

We can overcome this failure by Due care, which is proactively addressing security vulnerabilities through measures. And by Due diligence which ensures thorough research and assessment before making security decisions, enabling informed choices to mitigate risks effectively. Together, these approaches help prevent security failures and strengthen overall cybersecurity posture.

Let’s take an example: Suppose you are planning to do penetration testing on the application, you would start with selecting a new penetration testing provider, you do thoroughly research different providers, compare their abilities and track records, and read customer reviews to ensure they have a good reputation for penetration testing. You also carefully review the terms of service and any legal agreements to understand your rights and responsibilities regarding data protection. This way, you’re making an informed decision to protect your company’s data. This entire activity falls under Due Diligence and doing the penetration testing is Due Care.

Customers often assess the security of a product before purchasing it, and may request a summary of penetration testing reports as part of this evaluation process. As a cyber security officer, it is important to ensure that products are regularly penetration tested and that reports are readily available. (After all, who doesn’t love a good penetration test report?) Engaging a third-party company for penetration testing and understanding the legal aspects of this engagement is also considered due diligence. Leading the engagement, helping the vendor to perform the testing, and ensuring that all necessary steps are taken to close out the engagement are considered due care

In summary, due diligence involves gathering information and assessing risks before making decisions, while due care involves implementing reasonable measures to prevent known risks and ensure responsible behavior. Both concepts play important roles in various fields and contribute to informed decision-making and risk management.

Impressed by the header image? Wondering how this image is related to the article? This is AI generated image!

Text input to AI engine was

"MARVEL characters engaged in penetration testing to save the world "

Image Credit to stable diffusion https://github.com/AUTOMATIC1111/stable-diffusion-webui