Complete security is an oxymoron

An interesting Kiwi business startup caught my beady eye today. Without being too specific, they are offering a financial service, making me curious about the legal and regulatory hoops they presumably had to clear in order to do so.

Checking their shiny new website hasn't exactly inspired me with confidence. The home page claims to be using a completely secure platform ... which is, I suspect, a bit of a porky, an exaggeration, stretching the truth. Maybe they have been carried away by their own marketing. Perhaps they are just naive.

I have never come across a totally secure system, and seriously doubt there is such a beast. Sure, I've dealt with many highly secure systems, all of which were vulnerable in various ways. None of the organisations concerned had the nerve to claim they were totally secure however, since (with a little guidance from pro's like me!) management accepted that there were residual risks, despite all our efforts. 

Paradoxically, by claiming total security, they are painting a large target on themselves, setting themselves up for a fall - and that's a shame because, as I said, they are a Kiwi startup with an interesting business product that the founders have personally invested in getting to market. I'm not naming the company to avoid adding fuel to the fire. I would love them to soar, not crash and burn. I wish them well.

It gets worse: I can't find any further information about their security arrangements on the website, partly due to some broken links. That's not a good look for any business - ourselves included but we aren't offering financial services and don't claim to be totally secure. The security bar is set higher for them.

[Hint: integrity and availability are both core parts of information security.]

So, what next? I guess I'll try contacting them about this, softly-softly. I'd rather they considered me a friend than a threat.