Slashdot Mirror
What Should We Do About Security Ethics?
An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"
http://www.wikileaks.org/wiki/Wikileaks
It's more common than you think. Some of it is due to laziness, some due to a lack of knowledge, and some due to time constraints. Fortunately, for the really sensitive information, management at my company finally put into place very strict policies on how we handle the data: How we store it, erase it, encrypt it, and display it. Granted, most of these policies are actually put in place by vendors that require it, but we've taken those standards and extended them across all sensitive information.
If you're failing SOX/SAS-70/404 audits (or whatever types of audits apply to you)... that's bad, although you've already identified that.
We formed a data security team - it's just one dedicated person right now, but since he's really only involved with the policy stuff, that's enough for us - however, he does hold frequent and regular meetings with management across all departments. The DS team recently published our "best practices" which every developer now has posted at his/her desk.
Because management took this very seriously, we became one of the first companies in our industry to have all of the current versions of our software fully compliant with industry security standards.
If there are no standards set forth for you, I suggest you make your own. It takes time and they must be well thought out, and no comprimises can be made (that's a bad pun, sorry). Use your audit results (the actual audit results, not the strong-armed ones) as a baseline for improvement. Dedicate a resource to data security. Whatever you have to do. Since you're a senior level person, you should be able to convince people to allow you to do it.
If you have security issues and a breach occurs, well... I think you know what could happen.
Why, no, I haven't meta-moderated lately. Thanks for asking!
Just let them be.
I too worked for a company that catered to the people that made money for it. $40 billion+ in assets at the time. No matter how hard I tried security ALWAYS took a back seat to profit, ease of use, and not rocking the boat. I was the head of network security, there was not even a CSO. The hierarchy wasn't even in place. One day I even saw a live network hack in progress as one of our network engineers was using a VNC server not protected by our corporate firewall! Someone on the outside had found it and started using his desktop! I couldn't believe my eyes! In the end it came down to me just accepting that this company, and a vast majority of corporations, will always and forever be run this way...until, of course, the proverbial $#It hits the fan, at which point I didn't want to be there.
So I left and never looked back. I suggest that this also be your course of action before the one left holding the bag is you.
It isn't bizarre. It is very simple. To any business, an amount of money larger than the profit they will make from you until the person in charge leaves is worth more than your life. If you are an ex-customer, they'd rather see you die than lose $1.
The masses are the crack whores of religion.
... and think it means he works for Microsoft? MS spent billions to improve AppSec. They take is seriously, because customers screamed so loud. The secret? Fortune *300*. The the company you are looking for is here: http://money.cnn.com/magazines/fortune/fortune500/2007/full_list/201_300.htmlHorns are really just a broken halo.
My bet is on SAIC because I have worked with them before. I work in the safety critical industry and believe me it is absolutely terrifying how lax some companies are about security. For them security is checking a bunch of stuff off a bulleted list and calling it done. They dont actually want to hear about real problems that will cost money and time to fix. Its kind of sad too because companies like these employ a metric ton of "security experts" and "software verifiers". Most of them are just paycheck collecters. They are there to produce lots of safety critical paperwork. The paperwork and beauracracy are the artifacts they are paid to produce. Actually finding bugs isnt going to make anyone happy.
Whistleblower laws are a freaking joke.
I have an acquaintance who was a financial underling at a publicly traded company. The CFO discovered some irregularities with the books and blew the whistle on the shenanigans. Within 6 months he was history, along with anyone else who TPTB determined was in the 'penumbra of blame.' Came damn close to my acquaintance but didn't affect them.
Look at it this way; are you gonna want to keep around the guy who spoiled the ride for the rest of the clowns? If you are one of the beneficiaries of the monkey business you'll never look at the whistleblower the same way again.
Mit der Dummheit kämpfen Götter selbst vergebens.
This may depend on the jurisdiction, but in Finland even if higher-ups forbid something (or tell you to do something) it does not give you "get out of jail" card. You are personally responsible for your actions, if they are illegal - tough.