The Failure of Information Security

Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."

Errare humanum est.

[abb3w]

A response to that sort of ignorant mentality is Yes, Sure, No problem, I just need you to send me a memo resolving me of an internal and external legal action and contractual reasonability I have when corporate information IS lost or maliciously changed.

You may need to first draft a memo, spelling out the potential security consequences you anticipate, and insist that the boss provide a responding memo that specifically lists them, states that he has considered them, and that you are completely absolved of internal and external responsibility for any of the consequences. If you get one in response, be sure to forward a "file copy" to the company's legal department (which may result in a panicky highest-level countermanding order), and keep a personal copy off-site in the file with your copy of your employment agreements and NDA. (You do have such a file, right?) If your company has an internal audit department that handles security audits, forwarding a copy of it in their direction may also generate abrupt entertaining activity.

More troublesome is if a problem happens later, and although you are not held responsible (having sensibly covered your ass beforehand as above), you're told to "cover it up". If your company has an omsbudsman, a rapid visit is in order; otherwise, lawyer up and find a new job... fast.