'Burnt-out' security pros hide breaches, demand bigger budgets

A new report into the ethics of security professionals reveals some eye-opening findings on hidden data breaches, and how incidents are being used to push for bigger budgets.

Much like Walt White, security professionals will do what it takes
Much like Walt White, security professionals will do what it takes

Threat intelligence security vendor AlienVault released its ‘Ethics, security and getting the job done' report last week and it makes for an interesting read for anyone involved in security, from system and network administrators to CISOs and board members in control of information security budgets.

The report, which is based on professional experience of report author Javvad Malik (security advocate at AlienVault, former analyst at 451 Research), as well as well a study from RSA, which gathered 1,107 responses, highlights that most respondents believe that CISOs should ultimately be accountable for a breach, although some do also cite CIOs, CEOS and even auditors.

However, the most interesting section of the report concerns post-breach mitigation, finding that one in five have witnessed their firm hide or cover up a breach, whilst two-thirds have used the situation to lobby senior execs for more budget.

Approximately 25.7 percent tell the regulator (the ICO in the UK) and pay the fine, while nine percent adopt the attitude of ‘if nobody knows, just keep quiet'. More alarming still, is that one in fifteen (6.6 percent) will go and tell the media.

In the report, Malik said that information security has become front-page news, and questioned whether the pressure might get to people working in the industry.

“The downside is that with additional profile come expectations and pressures. In an immature industry, which still isn't fully understood – that could mean corners need to be cut such as bypassing change management procedures to fix issues or sharing administrative accounts.

“Do the ends justify the means? When a professional's job and reputation is on the line – that question can become quite difficult to answer without including a long list of caveats.”

In the summary of the report, he added: “Information security is still a comparatively immature industry that has been thrust into the forefront of many discussions at personal, corporate and governmental levels. This has led to many security professionals having to make up the play book as they go along, evidenced by inconsistent security disclosure practices as well as the ever-changing and complex legal path to navigate.

“Burn-out amongst security professionals has been discussed for some time within the community as well as the need to find a better work/life balance. However, perhaps the most telling trend that emerges from between the lines is that enterprises of all sizes need to provide a better support framework for individuals with information security responsibilities. Be this better access to training, networking opportunities with peers and not trying to find scapegoats in times of incidents.”

He expanded on those points when speaking to SCMagazineUK.com earlier today, saying that breaches will happen, and comparing overworked security folks to Walter White (acted by Bryan Cranston) in Breaking Bad.

Page 1 of 2