When ignorance isn’t bliss

Nothing is worse than coming in as an external consultant, delivering your work and realising it will get filed away or your recommendations ignored because they don't want to hear it.

Recently I was assigned to an engagement with one of the Principal Consultants. This consultant has a tremendous amount of experience and someone for whom I have great respect. Always curious to know what motivates people especially those who have held the same role for years, I asked him en-route to the client site "so what sort of gigs do you enjoy the most?". He replied without missing a beat "the kind where you can make a difference." His rationale was simple - nothing is worse than coming in as an external consultant, delivering your work and realising it will get filed away or your recommendations ignored because they don't want to hear it.

I have seen this with penetration tests where the findings are filed away and eventually compromised. Or tests where only the high and medium findings are addressed and a pat on the back all round follows for a job well done. Some organisations would rather focus on policy creation and talk about ISO standards without ever taking their gap analysis to the next step of peeling back the hood and really examining how all their controls are running. In-fact, every security professional I've spoken to has similar stories. The reality is that some businesses would rather not know the truth.

The examples painted by companies like Sony highlight the point. By not shining a light on the way things run, they can continue to turn a blind eye to it. They can't be asked to fix a problem they know nothing about. They can't be held accountable if they’ve never having been told. So long as they never get owned that is. If it were not for the stream of NDAs and waivers we're forced to sign as price of entry into this field, the average information security professional could tell stories to the media that would cause the average Joe to tremble with rage as to how their information is protected.

The reality is that in Australia as it stands, beyond a largely unenforced Privacy legislation, no company has been fined to date for breaching their duty of care. There are minimal legal obligations to protect information and even less to notify in the event of a breach. Australia is lagging behind its Western counterparts over what our obligations are to protect information. And since the law is slow to respond, businesses will only pay the minimum required - and to be fair, rightly so.

IT Security is a cost, no matter how you slice it and any legislation which raises the cost of security has a direct impact on the cost of providing services. But at some point we need to start asking ourselves "how much is enough?" This is a line we can only guess - and even that line will blur between security consultants. I don't want to try and second guess people but if your choices come down to properly understanding the magnitude of the problem and making an informed decision of how to manage the risk, or burying your head in the sand and hoping the problem goes away, I know which option I'd choose.

If there is one thing we've learned this year is that there is a long trail of companies behind us, littered like corpses that chose the latter. Don’t be a victim.

Your thoughts, and experiences, by way of comment are invited.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityPrincipal Consultants

More about ISOIT SecuritySony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jarrod Loidl

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place