The SANS Newsbites email today has a link to this article on Forbes.com. It talks about the apparent disconnect between what Security and Privacy departments think is going on and what seems to really be going on. Now I'm not accusing anyone of lying to the Security/Privacy departments or to management, but it sure looks like someone may not be telling the whole truth. More than likely what has happened is a disconnect between these departments. Security/Privacy creates a policy that states that sharing personal data or sensitive data with third parties is not allowed. Marketing either is unaware of the policy or decides that the policy is stupid and ignores it. This is where my comments in the last post about being able to monitor, verify and enforce policy is crucial to it's success.
I know in my personal experience that I've been lied to about certain things. I'm sure I'm not the only one. I've asked questions and received answers that were incorrect and the person who gave me the answers knew that they were incorrect. When later confronted I was told that I was given the answer that I wanted. Obviously since then I've learned not to be so trusting (remember: "I like you. I just don't trust you.). Now I require proof and if proof can't be given then the answer is left blank and steps are taken to fix the issue.
The real problem in this is that by lying the company as a whole is put at risk. Proper security can't be put in place because the truth isn't known. If a incident occurred as a result of this lie then it could be detrimental to the company. Again I stress that if we are to do our jobs effectively then we need to know the truth and be able to verify that truth.