How should corporations think about Web security?

The top level security issue is how to function in an open and chaotic environment, Zittrain says.

Question: How should corporations think about Web security?
Jonathan Zittrain: The top level security issue is how to function in an open and chaotic environment. The more secrets your business holds, the more you stand to lose, if a laptop goes missing, if your website gets hacked. And there are some secrets that really do need to stay secrets, like your customers' credit card numbers. And it's amazing to me the number of companies that still don't encrypt them when they store them. So when the hacker gets in, they've got the keys to the kingdom. California passed a law a few years ago, SP-1386 that says, if you have had a vulnerability, a breach of some kind, and exposed customer data to unknown third parties, of a sensitive nature, you have to tell the customer. As you might guess, firms don't like this law. There's been a slew of firms telling customers, "Gee, we screwed up," and yet they still don't encrypt very often. It's very puzzling to me. But to me, aside from the stuff that absolutely has to stay scrambled, it'd be worthwhile to say, "How much of our business plan depends on secrecy and on control, rather than on generativity? On people coming up with neat ideas?" And corporations are starting to get wise to this. Dove is running a competition for people to film their own soap ads, and the winner gets to have the soap ad on TV. So in crude and fitful ways, they're suddenly acting less oracularly. You can even see it in the arts, where writers of television shows no longer speak only through their show, but they have a pod cast and commentary and behind the scenes stuff, because the bandwidth is there to do it. I'm sure there are a number of artists who think, "Too bad. Better that you should speak, J. D. Salinger, only through your books." Whereas others say, "Hey, it's a craft. I'm happy, actually, if people are eager to see what's on the cutting room floor, fine. I'll share it."
 
Recorded on: 3/8/08

Question: How should corporations think about Web security?
Jonathan Zittrain: The top level security issue is how to function in an open and chaotic environment. The more secrets your business holds, the more you stand to lose, if a laptop goes missing, if your website gets hacked. And there are some secrets that really do need to stay secrets, like your customers' credit card numbers. And it's amazing to me the number of companies that still don't encrypt them when they store them. So when the hacker gets in, they've got the keys to the kingdom. California passed a law a few years ago, SP-1386 that says, if you have had a vulnerability, a breach of some kind, and exposed customer data to unknown third parties, of a sensitive nature, you have to tell the customer. As you might guess, firms don't like this law. There's been a slew of firms telling customers, "Gee, we screwed up," and yet they still don't encrypt very often. It's very puzzling to me. But to me, aside from the stuff that absolutely has to stay scrambled, it'd be worthwhile to say, "How much of our business plan depends on secrecy and on control, rather than on generativity? On people coming up with neat ideas?" And corporations are starting to get wise to this. Dove is running a competition for people to film their own soap ads, and the winner gets to have the soap ad on TV. So in crude and fitful ways, they're suddenly acting less oracularly. You can even see it in the arts, where writers of television shows no longer speak only through their show, but they have a pod cast and commentary and behind the scenes stuff, because the bandwidth is there to do it. I'm sure there are a number of artists who think, "Too bad. Better that you should speak, J. D. Salinger, only through your books." Whereas others say, "Hey, it's a craft. I'm happy, actually, if people are eager to see what's on the cutting room floor, fine. I'll share it."
 
Recorded on: 3/8/08