Threat intelligence security vendor AlienVault released its ‘Ethics, security and getting the job done' report last week and it makes for an interesting read for anyone involved in security, from system and network administrators to CISOs and board members in control of information security budgets.
The report, which is based on professional experience of report author Javvad Malik (security advocate at AlienVault, former analyst at 451 Research), as well as well a study from RSA, which gathered 1,107 responses, highlights that most respondents believe that CISOs should ultimately be accountable for a breach, although some do also cite CIOs, CEOS and even auditors.
However, the most interesting section of the report concerns post-breach mitigation, finding that one in five have witnessed their firm hide or cover up a breach, whilst two-thirds have used the situation to lobby senior execs for more budget.
Approximately 25.7 percent tell the regulator (the ICO in the UK) and pay the fine, while nine percent adopt the attitude of ‘if nobody knows, just keep quiet'. More alarming still, is that one in fifteen (6.6 percent) will go and tell the media.
In the report, Malik said that information security has become front-page news, and questioned whether the pressure might get to people working in the industry.
“The downside is that with additional profile come expectations and pressures. In an immature industry, which still isn't fully understood – that could mean corners need to be cut such as bypassing change management procedures to fix issues or sharing administrative accounts.
“Do the ends justify the means? When a professional's job and reputation is on the line – that question can become quite difficult to answer without including a long list of caveats.”
In the summary of the report, he added: “Information security is still a comparatively immature industry that has been thrust into the forefront of many discussions at personal, corporate and governmental levels. This has led to many security professionals having to make up the play book as they go along, evidenced by inconsistent security disclosure practices as well as the ever-changing and complex legal path to navigate.
“Burn-out amongst security professionals has been discussed for some time within the community as well as the need to find a better work/life balance. However, perhaps the most telling trend that emerges from between the lines is that enterprises of all sizes need to provide a better support framework for individuals with information security responsibilities. Be this better access to training, networking opportunities with peers and not trying to find scapegoats in times of incidents.”
He expanded on those points when speaking to SCMagazineUK.com earlier today, saying that breaches will happen, and comparing overworked security folks to Walter White (acted by Bryan Cranston) in Breaking Bad.
“Breaches are a part of doing business - we all know it will happen. But at the same time, the best laid plans seem to go down the pan when a breach does happen. When the public spotlight is put on a breach, we have lots of commentary on what went wrong from an external perspective and I think companies feel like sacrificing their CISO as a way to appease the public is a necessary step.
“So, we have potentially career-limiting implications of a breach which could be a reason behind dubious behaviour. I'm not justifying the behaviour - but say you're a poor chemistry teacher with no medical insurance that has been diagnosed with lung cancer… maybe one can understand why you'd end up cooking meth to pay the hospital bills.”
Malik added that the report, especially using breaches to get more money, pointed to "fundamental problems that need to be addressed", and believes EU legislation may bring cases to light.
Dr Jessica Barker, an independent cyber-security consultant, added that staff may become disillusioned over time, even citing a recent example of one professional asking her if she'll still be so positive in the years to come.
“There is something about the longer you're in the industry, the more you see the same old conversations, same messages and same causes of breaches," she told SC. "If they feel dispirited there is that sense of ‘why bother'.”
Barker added that each breach would be different, and companies may have acceptable data loss, hinting at a disconnect between IT security and senior management.
Alienvault's report also found that just over half of infosec professionals use the dark web, and associate with ‘black hats', to help them do their job, and that most see the Internet of Things as a technological evolution (though one which needs more privacy regulation, and devices that can be patched, monitored and data segregated).
It also found that while most security professionals will privately disclose bugs, a surprising number do nothing (9.5 percent), just tell friends (8.2 percent), claim a bug bounty (5.5 percent) or sell on the black market (2.5 percent). The lack of integration hinted that filing these was “too arduous” and “raises the question whether companies could be doing more to facilitate easier disclosure – or if intermediaries such as bug bounty organisations can assist individuals navigate the process even where a formal programme does not exist.”
Paco Hope, consultant at Cigital, told SC: “It is true that some set of security professionals find and disclose vulnerabilities as part of demonstrating the value of security to their respective firms. There is a huge lay population who overestimates the security of software, so some security professionals resort to incendiary demonstrations to focus the issue. Open and well-run markets, like bug bounty programmes, are better for the software and security industries than black markets in vulnerabilities.”