LinkedIn Defends Security Practices, Leadership

Social network details info security lines of authority after being criticized for lacking a chief security officer.

Who Is Anonymous: 10 Key Facts (click image for larger view and for slideshow)
Did LinkedIn drop the ball on information security?
In the wake of a
breach of LinkedIn users passwords
that first came to light last week--after a subset of those passwords were uploaded to an online password-cracking forum--security pundits have been asking how much LinkedIns business practices might have been at fault.
Multiple commentators have
noted the absence
of a chief security officer (CSO) or chief information security officer (CISO) on the LinkedIn organizational chart, with some inferring that the breach could thus be
traced to a lax security attitude
at the social network, because no one was responsible for IT security, according to TechWireAsia.
[ Beef up your passwords. Read
7 Tips To Toughen Passwords
. ]
But LinkedIn has defended its security posture and response to the breach, noting that after the password theft came to light early last week, by Thursday it had disabled the passwords on all accounts that were known to have been compromised by attackers. At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft, according to a Tuesday
LinkedIn blog post
, which further noted that the company was continuing to work with law enforcement as they investigate this crime.
LinkedIn said its also already put stronger password protection in place. The LinkedIn technology team has completed a long-planned transition from a password database system that hashed passwords--i.e. provided one layer of encoding--to a system that both hashes and salts the passwords--i.e. provides an extra layer of protection, according to the companys blog post. It also suggested that the company was pursuing further security enhancements, though declined to detail them.
In terms of security oversight, a
story released Friday
reported that two people at the company were responsible for security. But LinkedIn said that there had been a misunderstanding with the reporter, and later in the day reached out to correct the record, noting that
David Henke
, the companys senior VP of operations, is solely in charge of security. Henkes LinkedIn profile lists his responsibilities as being the companys production operations, IT, data systems, security.
Since then, the company has been defending its security credentials, noting that its technology team includes world-class security experts, according to the companys Tuesday blog post. This team includes Ganesh Krishnan, the companys security czar, who previously served as vice president and chief information security officer at Yahoo! Inc. He and the entire security function at LinkedIn reports to senior vice president of operations David Henke, whose
LinkedIn
profile names his responsibilities as overseeing the companys production operations, IT, data systems, security. According to Krishnans
LinkedIn profile
, meanwhile, he heads LinkedIns technology center in India. In other words, LinkedIns head of security, based in India, reports to its head of operations, whos based in California.
LinkedIn said that the absence of a CSO or CISO label on the org chart reflects only the companys job-naming conventions, rather than its security posture. LinkedIn historically has limited C-level titles only to its chief executive officer and chief financial officer, so while Krishnan does not formally have the title of chief information security officer, that is the role he has played at the company since his hiring in 2010, according to the LinkedIn statement.
But should one employee be in charge of not just security operations, but also IT? Conversely, in the case of LinkedIn, does Krishnan--the companys security czar--report to a suitably senior member of the company?
In general, said Patricia Titus, VP and CISO of Symantec--after referencing glass houses and noting that the LinkedIn password breach could have happened to anyone--many businesses see security as an expensive add-on and end up not paying sufficient attention to it. So theyll dual-hat their IT director and say hes also doing IT security. And in some organizations--I call it the pile-on--they also pile the chief privacy officer (CPO) responsibilities onto the CIO or CISO role.
So you end up with three titles, and it makes them very thin when it comes to achieving success with any one of those responsibilities, said Titus, speaking by phone.
Social media companies often face these types of security challenges, simply because they grow so quickly. If it takes five years to evolve your way up to a billion-dollar valuation, then it gives you time to ramp up your growth--yes, well hire a security person and put them in, said
Tom Patterson
, practice director for the commercial security division of consultancy CSC, via phone. But if it happens overnight, its going to take time to catch up.
Symantecs Titus, however, noted that many organizations do have a senior-level CSO or CISO, even if thats not their official job title. Other organizations, meanwhile, will typically have at least someone in the CIOs group whos in charge of security, albeit its often buried down three layers, she said. For reference, Titus said she reports directly to Symantec president and CEO Enrique Salem.
Whats the problem with having a head of security whos buried inside the IT group? Levels of responsibility, authority and funding are critical to the success of that [security] group, said Titus, whos previously served as the CISO of Unisys, as well as the Department of Homeland Securitys Transportation Security Administration. In other words, the position--or lack thereof--of the security chief on the organizational chart can signal the seriousness that an organization is devoting to its security program.
Accordingly, in the wake of the LinkedIn breach,
every CEO and board member
should be asking not just whos in charge of their information security program, but whether they have sufficient power. For example, a survey commissioned by security vendor CORE Security and conducted by Research Now in April found that in many businesses, CEOs often dont communicate frequently with whoevers in charge of their security program. According to the 100 CEOs and 100 CSOs or other heads of security surveyed, in about one-third of companies, CEOs never receive updates on their companys security posture from the CISO, while in 27% of businesses, CEOs only get updates on a somewhat regular basis.
In other words, executives at many companies--not just LinkedIn, eHarmony, or Last.fm, all of which experienced password breaches that came to light last week--could stand to sharpen their security practices.
In the past few days, Ive had a lot of meetings with CEOs and mentioned the LinkedIn breach, and I say, if you were silly enough to reuse your password, attackers are combing through the records to see if the password also works for your bank, said CSCs Patterson. Immediately, the meeting stops and these very high-profile executives leave the room and come back 20 minutes later and say, sorry, I had to change my bank password.
Employees and their browsers might be the weak link in your security plan. The new, all-digital
Endpoint Insecurity
Dark Reading supplement shows how to strengthen them. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
LinkedIn Defends Security Practices, Leadership