Whether or not you agree with the responses in this interview such as “fraud happens every day,” “this is not an information security issue,” or “this has been mislabeled a hack and a security breach” is up to you – like most things, it’s easy to argue both sides.

I certainly wasn’t behind the scenes of this unfortunate incident, but the way I see it, there are some lessons to be learned that create a forum for discussion. Here are my thoughts:

1. Computers and networks aren’t always breached in the stereotypical way we normally hear about – an unauthorized hacker breaks in, steals the “loot,” and doesn’t leave any tracks. In the ChoicePoint debacle, it was a classic case of social engineering. Real people with a seemingly legitimate business need who built trust over time, but eventually ended up exploiting the information they received. The only way to stop something like this is through better security awareness and stronger business processes – items the information security function is responsible for. These types of situations are information security issues.

2. Information security is not always about firewalls, virus protection and policies. The cornerstones of information security are the assurance of the confidentiality, integrity and availability of information – regardless of how it’s being used. Business processes surrounding all types of information – electronic or hard copy – fall under this umbrella. Once again, an information security issue.

3. It’s becoming more important to understand who you’re doing business with – both personally and professionally – understand their information security practices, understand how seriously they take confidential and sensitive information, and when and how you’ll be notified in the event your information is compromised. It certainly doesn’t hurt to question your government representatives and other “powers that be” why third-party companies even need, much less have, so much of your critical information in the first place.

4. The legislators and regulators now have more ammo in the fight to protect confidential and sensitive information. Do I believe this will help? Maybe – but one thing’s for sure, it will certainly bring more awareness to this issue. Something we desperately need. California’s Senate Bill 1386 requires organizations doing business in that state to notify California residents when their personal information is breached. That’s where we’re headed at the state level and likely the federal level, especially after the ChoicePoint issue. I’m rarely happy about bigger government, but if it means companies that possess information near and dear to our hearts are going to be held more accountable for their business practices, I’m all for it.

No one is more to blame here than the criminals committing these crimes, but it’s time for upper management to step up too. CEOs, CFOs, COOs, and even IT executives need to realize that information security is a big deal for the business, for customers, and more importantly (in their minds at least) for shareholders.

Information security should be as much a part of overall risk management as finance, legal, and the like are in today’s businesses. If we don’t stop focusing most of our efforts on the technical security solution du jour and place more focus on the non-technical aspects of information security – the Big Ps: Policies and Processes – incidents like the one at ChoicePoint will no longer be the exception but rather the rule.