Monday, October 7, 2013

Living in Glass Houses - #InfoSec Industry's Culture of Shaming

Edit (10/9/13 16:26 EDT)
Thanks to Steve Ragan for pointing out that the Internet never forgets ... in case you want to see a glimpse of the original post which has since been (quietly) removed, click here.

-------------
If you're anything like me and like to keep up on the industry, you've no doubt been overloaded with news on the apparently epic Adobe hack. As some of you may no doubt point out I'm no apologist for companies who fail to take security seriously, and I've made my share of pokes and jokes at Adobe's expense over the years. There is, however, a line I hold myself and others who wish to be known as professionals to. That line is personal hit-pieces where you're targeting a particular individual for the sins of the collective. This is commonly known as bulls***.

That being said, I took serious offense when I saw the original version of this post (I wish I had taken a screen capture, but it was quite distasteful) from Richi Jennings on Computerworld. When I read the original which basically sought to crucify Brad Arkin for Adobe being hacked I got upset. So upset that I took to Twitter and let Richi know it, and I can't say I was too polite either... After a few others laid into the author, the post was dramatically changed, the picture of Brad with the overlay "Fire Me" came down, and there was an apology. Of course, if you want to see the sorts of trolls that apparently read that column, look no further than the comments...yikes.

Anyway... let me get to the point.

There are some points I think we largely still miss as a security industry, judging by the interesting and colorful discussion about firing CISOs in the wake of a breach we had earlier in the day this post was written.

First, security is hard. Those who lament the failures of security professionals on the defensive from their offense armchairs (aka penetration testers) need to play defense for a while. You'll get an attitude adjustment, I promise. I came from a small company penetration tester mentality when I joined a massive global conglomerate back in early 2000's - and let me tell you that attitude adjustment was harsh. My "why can't you just fix this" was met with retort like "because we have budget to do one of two things - release the product and make the company money and keep our jobs, or hope to add security" over and over. I eventually learned the harsh lesson, luckily before I was relieved of duty.

Now, not apologizing for years of poor security practices in software products you sell to others to use, but Adobe has come a long way by my measures. They used to have Flash! bugs almost weekly - a torch which has been passed to Java. They also had poor practice in community interface, and other issues which no one really needs to hear over and over again. Brad Arkin's appointment to the Corporate CISO has made a tremendous improvement in that organization, and those who discount that simply don't know better...and if you don't know, stop talking.

Now back to security being hard. I can relate here. I've never been the CISO for a global conglomerate which has grown by acquisition as well as organically - but I did work for one. On that team which was responsible for global security but had very little mandate power - life was hard. When the company got breached we were in the firing line. When we worked tirelessly to do what we could with the few pennies we were given no one batted an eyelash. It's a thankless job trying to save the victim from drowning themselves - but that's what you sign up for when you go to work in #InfoSec in the corporate world. I get that. The last thing you need is some guy touting your employer relieving you of your job. Seriously?

Whether you're a Christian or not, there is a Bible verse which rings true in all our lives. John 8:7 says "..He that is without sin among you, let him first cast a stone.." Remember this my friends and colleagues, as you read the news and jump on the bashing-the-victim bandwagon. Some day very soon, if logic holds, your organization will be breached, hacked, sacked and shamed publicly by people just like you. You'll want to tell your peers in the industry just how hard you've worked to make even the smallest changes in culture, and how long it takes to change hearts and minds, attitudes, and budgets. But no one will listen and instead they'll be calling you names, laughing, and calling for your head. That's probably not the right thing to do, you think?

As the saying goes "People in glass houses shouldn't throw stones". We all have to live with issues that at any moment could expose us - whether it's in our personal or professional lives. There is no secure. So the next time you want to get your names in the publication talking about how stupid that one vendor is because they got hacked - ask yourself - what would you want your peers to say when it happens to you?

1 comment:

Mark Evertz said...

Raf,
Love it. Keep trolls and other a-holes in line by showing them a mirror. Hit pieces masked as journalism are unfortunately the norm so I suspect you'll be reworking and sharing this post a lot . Congrats I think you just created the "Hey asshole!" Blog template.
Cheers,
ME

Google+