What Should We Do About Security Ethics? 244
An anonymous reader writes "I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It's truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?"
Wikileaks (Score:5, Informative)
How my company handled it. (Score:5, Informative)
If you're failing SOX/SAS-70/404 audits (or whatever types of audits apply to you)... that's bad, although you've already identified that.
We formed a data security team - it's just one dedicated person right now, but since he's really only involved with the policy stuff, that's enough for us - however, he does hold frequent and regular meetings with management across all departments. The DS team recently published our "best practices" which every developer now has posted at his/her desk.
Because management took this very seriously, we became one of the first companies in our industry to have all of the current versions of our software fully compliant with industry security standards.
If there are no standards set forth for you, I suggest you make your own. It takes time and they must be well thought out, and no comprimises can be made (that's a bad pun, sorry). Use your audit results (the actual audit results, not the strong-armed ones) as a baseline for improvement. Dedicate a resource to data security. Whatever you have to do. Since you're a senior level person, you should be able to convince people to allow you to do it.
If you have security issues and a breach occurs, well... I think you know what could happen.
Kay Sara Sara (Score:3, Informative)
I too worked for a company that catered to the people that made money for it. $40 billion+ in assets at the time. No matter how hard I tried security ALWAYS took a back seat to profit, ease of use, and not rocking the boat. I was the head of network security, there was not even a CSO. The hierarchy wasn't even in place. One day I even saw a live network hack in progress as one of our network engineers was using a VNC server not protected by our corporate firewall! Someone on the outside had found it and started using his desktop! I couldn't believe my eyes! In the end it came down to me just accepting that this company, and a vast majority of corporations, will always and forever be run this way...until, of course, the proverbial $#It hits the fan, at which point I didn't want to be there.
So I left and never looked back. I suggest that this also be your course of action before the one left holding the bag is you.
Re:Essay: Catch 222-22-2222 (Score:4, Informative)
Re:Three Words: (Score:3, Informative)
Re:How my company handled it. (Score:3, Informative)
If you're failing SOX/SAS-70/404 audits (or whatever types of audits apply to you)... that's bad, although you've already identified that.
Now how the FUCK can you fail a SAS-70 audit? You get to set your own damn criteria for passing!
Re:Three Words: (Score:2, Informative)
Re:Wikileaks (Score:1, Informative)
Re:2 words: Whistleblower Laws (Score:3, Informative)
I have an acquaintance who was a financial underling at a publicly traded company. The CFO discovered some irregularities with the books and blew the whistle on the shenanigans. Within 6 months he was history, along with anyone else who TPTB determined was in the 'penumbra of blame.' Came damn close to my acquaintance but didn't affect them.
Look at it this way; are you gonna want to keep around the guy who spoiled the ride for the rest of the clowns? If you are one of the beneficiaries of the monkey business you'll never look at the whistleblower the same way again.
Re:Three Words: (Score:4, Informative)
If it bothers you ... (Score:1, Informative)
Get a different TYPE of security job.
Think about it. Most "general security practitioners" are DEFENSIVE roles. A lot of us even have taken time to get mad at even the existence of third party "penetration testers" as some sort of a professionally equivalent role to the defensive security practitioner. I have in the past. But, being a DEFENSIVE practitioner puts a lot of weight on the shoulders of people who are interested in taking on the job. It's not as glamorous and exciting as it seemed, just a few years ago.
Think about it. Suppose one of your organization's cover-ups turns into a full blown incident. What happens? The CXOs pick some heads to roll to appease owners/share-holders. Who's going to roll first? The person who is responsible for security. So, yes, while other slashdotters suggested a CYA approach (document, retain documentation external to your org's control, and present documentation to approach management, etc.), perhaps it's time to consider taking a consulting role from the outside?
As a consultant, a security practitioner can move from shorter engagements to more short engagements. There are no long ties to a single organization. There is no sense of "ownership" of the problem; only "ownership" of presenting the problem with recommended solutions. Even though I'm usually disgusted by them, I envy people with "penetration testing" jobs because they get to poke some holes in stuff that often times you knew already existed (or likely existed, if you didn't know the exact details) and they get to go home, paid well, and sleep comfortably at night. If the holes get exploited, they don't roll. And since pen-testing is a pseudo-science (arguing the positive by proving the negative does NOT exist), even if they didn't find the same hole that lands your org on the front page of the Times, they can just say things like "well, we found other just as disastrous holes-- exploiting any of them could have had the same result" or some other similar bullshit
Lastly, another alternative that you have in front of you, is
Take your pick. There are other options than being defensive and disappointed. But one's thing is right: those who understand security are certain to be VERY pessimistic.
To the OP (Score:1, Informative)
I have, at times, been put in a similar situation - Managment wants to, or believes they can mitigate the risk if they just don't look at it or just pretend it doesn't exist.
What it mainly comes down to is that Upper Mgmt wants to protect their bottom line - return on investment to shareholders. If this comes at a cost of skirting some laws, or bending the rules a little to appease them, then so be it. *cough*Enron
The best advice I could give you is to document, document, DOCUMENT. Document everything. Save it everywhere. Save it on your work hard drive, save it to the server, email it to another trusted individual, print it out and save it in your work filecabinet, etc. If your company wants to erase info, if you have enough copies in the workplace, there will not be any way they will get them all. You get the picture. Because, if something DOES happen (and chances are, it will...we all know it is just a matter of time) then it is documented and you can hopefully save your rear end and not end up in the slammer with Bubba. I would not do anything rash, like post it to wikileaks or something similar, because there is a good chance it could still be tracked down to you, and then you are in a world of hurt.
If you are an Infragard member, perhaps talk to your SA about it. Your conversations with them are confidential and you might be able to get some more advice about the matter. Also, that is another way for you to CYA. Again, protect your rear end. Yes, I know this can go against the grain of what Slashdotters want to do/say/hear/OMG GOV'T IS BAD/etc, but they are a good resource and can offer you advice. Perhaps there is already an ongoing investigation, and your information would be helpful.
I wouldn't do anything that would jeoparidize your job - they are hard to come by, and we all know that the economic outlook isn't the greatest, no matter what part of the world you live in. Just document, document, document. Make sure your boss is aware of your concerns. If that is ignored, then all you can do is document, document, document.
I wish you the best of luck - I do not envy being put in that position, as if the breach is severe enough, it really is a no-win situation for everyone involved.