Tell the Truth …

March 12, 2010 at 8:31 am | Posted in Human Factors in Security, Incident Response | 2 Comments
Tags: , , ,

… and shame the Devil, as I was often told as a child.  Sound advice you’d think, but in the world of IT Security such honesty could cost you your job.  I was alerted on Twitter by Kai Wittenburg to the story of Pennsylvania’s CISO Robert Maley.  According to the story on Computerworld’s web site, Maley was fired by his employer, apparently after commenting on a security incident during the RSA show.  The reason given for his dismissal ws that he failed to get the proper approvals before making his comments.  The incident in question appears to have been a vulnerability in a scheduling system  at the Department of Transport.  The Department denies that any hacking or breach was involved in the incident, but details have been handed over to the State Police for investigation.  This furore is taking place against a backdrop of cuts of 38% in IT security budgets and 40% in staffing.

Chances are, Maley’s employer does insist on rigid prior approval for this sort of thing.  It’s all part of the culture of secrecy around security incidents that’s endemic in large organisations.  The immediate effect is to make it more difficult for all of us to get budgets approved for security programmes.  Faced with yet another capital expenditure request for an IT security programme, the CEO will say “..but , if this threat is real, why don’t I ever read about it in the Press?”  Answer:  because far too many organisations follow the lead of the Commonwealth of Pennsylvania and deny everything.

And there’s another consequence of not discussing these incidents – we don’t learn from them.  In his book “Managing the Human Factor in Information Security“, David Lacey describes how the aviation industry has systematically and ruthlessly pursued safety through a combination of mandatory incident reporting and thorough investigation of “near misses”.  Any major incident is the result of a series of cascading failures.  If any one element holds up under pressure, then the disaster is averted.  However, there are still a whole load of individual failures to be investigated and lessons to be learned.  Next time, you might not be so lucky.

As our World becomes ever more dependent upon on-line systems, so the impact of security incidents will become ever greater.  Unless we allow – even encourage – IT security professionals to follow Maley’s example and openly discuss these incidents, how can we ever hope to improve?

Reblog this post [with Zemanta]


RSS feed for comments on this post. TrackBack URI

  1. From my understanding, the aviation industry does a pretty good job. I’ve seen a documentary on a reconstruction. They are absolutely ruthless in pursuit of the post mortem.

    The person in question here should hang out his shingle as a security consultant (i.e., professional scapegoat) and triple his hourly rates.

    • Thanks for the comment Dave. I’m an engineer by profession, long before I got into computing. So, I strongly believe that IT can learn a lot from engineering about the discipline of formal processes.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at
Entries and comments feeds.

%d bloggers like this: