Recently I was assigned to an engagement with one of the Principal Consultants. This consultant has a tremendous amount of experience and someone for whom I have great respect. Always curious to know what motivates people especially those who have held the same role for years, I asked him en-route to the client site "so what sort of gigs do you enjoy the most?". He replied without missing a beat "the kind where you can make a difference." His rationale was simple - nothing is worse than coming in as an external consultant, delivering your work and realising it will get filed away or your recommendations ignored because they don't want to hear it.
I have seen this with penetration tests where the findings are filed away and eventually compromised. Or tests where only the high and medium findings are addressed and a pat on the back all round follows for a job well done. Some organisations would rather focus on policy creation and talk about ISO standards without ever taking their gap analysis to the next step of peeling back the hood and really examining how all their controls are running. In-fact, every security professional I've spoken to has similar stories. The reality is that some businesses would rather not know the truth.
The examples painted by companies like Sony highlight the point. By not shining a light on the way things run, they can continue to turn a blind eye to it. They can't be asked to fix a problem they know nothing about. They can't be held accountable if they’ve never having been told. So long as they never get owned that is. If it were not for the stream of NDAs and waivers we're forced to sign as price of entry into this field, the average information security professional could tell stories to the media that would cause the average Joe to tremble with rage as to how their information is protected.
The reality is that in Australia as it stands, beyond a largely unenforced Privacy legislation, no company has been fined to date for breaching their duty of care. There are minimal legal obligations to protect information and even less to notify in the event of a breach. Australia is lagging behind its Western counterparts over what our obligations are to protect information. And since the law is slow to respond, businesses will only pay the minimum required - and to be fair, rightly so.
IT Security is a cost, no matter how you slice it and any legislation which raises the cost of security has a direct impact on the cost of providing services. But at some point we need to start asking ourselves "how much is enough?" This is a line we can only guess - and even that line will blur between security consultants. I don't want to try and second guess people but if your choices come down to properly understanding the magnitude of the problem and making an informed decision of how to manage the risk, or burying your head in the sand and hoping the problem goes away, I know which option I'd choose.
If there is one thing we've learned this year is that there is a long trail of companies behind us, littered like corpses that chose the latter. Don’t be a victim.
Your thoughts, and experiences, by way of comment are invited.