Airing Out Securitys Dirty Laundry

  /     /     /  
Publicated : 22/11/2024   Category : security


Airing Out Securitys Dirty Laundry


Former South Carolina security gurus testimony shows how lack of security culture can open an organization to threats



Last week a former security chief with the South Carolina Department of Revenue got to live out many a frustrated CISOs fantasy. He got to say, I told you so.
More than a year after Scott Shealy was fed up enough with the lack of support for security within his department to quit, that same agency came forward to announce a breach of millions of state taxpayers. And last Thursday, Shealy testified in front of the South Carolina House committee about the departmental problems that led him to quit and likely contributed to the states IRS becoming a target for hackers.
According to Shealy, he resigned from his job because he wasnt getting support to adequately perform his duties. He told legislators that his suggestions went unheard to install security measures, citing the departments failure to replace him for a full year as a sign of its lack of commitment to security.
That guy got to have the meeting that every CISO whos ever been unsupported by their bosses wanted to have, says Mike Murray, managing partner for consulting firm MAD Security. I have had jobs where Ive wanted to be able to go in front of Congress and talk like that. Its heartbreaking for that guy and the people who lost their data, but, at the same time, I certainly have had times where I wish I could be that guy.
[How are CISOs preparing for 2013? See
7 Risk Management Priorities For 2013
.]
But if reports of the scene are true, it was hardly a satisfying experience for Shealy, who was said to have sometimes quivered during his testimony, according to
Greenville Online
. Nevertheless, his public post-breach airing of South Carolinas dirty laundry offered a number of key lessons to the infosec community at large, most notably about how important line-of-business support is to security endeavors.
Until security finds a way to have meaningful discussions about risk and security effectiveness with business owners, it will be hard to get attention and funding for security programs, says Andrew Storms, director of security operations for nCircle. South Carolina isnt the first organization to have this problem. It wont happen to us is a nearly universal mind set that affects boardrooms and executives everywhere.
As universal as it is, when the alignment of culture between a security organization and the desires of the business are out of whack, it becomes nearly impossible to manage risk, Murray says.
This guy couldnt be effective at doing his job because he couldnt affect change the way he wanted to, Murray says. It wouldnt matter if he was the best CISO in the world or the worst. He still couldnt have gotten his job done because he and the security organization were out of alignment with the rest of the organization.
As beneficial as it is to hear publicly about other organizations experiencing the same kind of cultural misalignment thats usually only whispered about in trade-show hallways, theres a reason why Shealys airing of the dirty laundry makes for such a rare occasion.
Speaking publicly about your current or former client is a professional risk to your career and your perception as being the I-told-you-so-guy, says Gal Shpantzer, an information security professional working in the Washington, D.C., area. You have to be very careful, especially in infosec, because if youre seen as breaching trust, youre never going to work anywhere again.
Shpantzer warns CISOs and security clients to tread carefully following a breach when the urge to burn bridges for the sake of speaking the last word hits.
No. 1, dont do something stupid that will get you sued or perceived by others as someone who cant keep a secret. Be careful not to violate any contractual obligations, he says. If youre dragged into committee and forced to submit a statement, thats different.
At the same time, security pros should be prepared for the inevitable fallout that comes from a breach, he says. Whether or not a security officer ever finds himself in the hot seat -- at a public testimony or just a closed-door board meeting -- it pays to keep records.
Every security officer is a potential fall guy once a breach occurs. So some CISOs keep what we call in the D.C. area a Washington Post file, Shpantzer says, explaining that this file should be ready for when the bad news about a breach at your company hits the pages of major news outlets. Its a time where many a boss will ask why a CISO didnt ask for resources or warn about the risks.
You can say to your boss or a lawyer under subpoena that all the emails are archived, all the proposals are archived, he says, but just to save you time, heres a DVD with information about every budgetary request and the risk justification for it for the last couple of years, along with presentations on similar examples in our sector paralleling the nature and amount of information at risk.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Airing Out Securitys Dirty Laundry