When ignorance isn’t bliss

Nothing is worse than coming in as an external consultant, delivering your work and realising it will get filed away or your recommendations ignored because they don't want to hear it.

Recently I was assigned to an engagement with one of the Principal Consultants. This consultant has a tremendous amount of experience and someone for whom I have great respect. Always curious to know what motivates people especially those who have held the same role for years, I asked him en-route to the client site "so what sort of gigs do you enjoy the most?". He replied without missing a beat "the kind where you can make a difference." His rationale was simple - nothing is worse than coming in as an external consultant, delivering your work and realising it will get filed away or your recommendations ignored because they don't want to hear it. 


I have seen this with penetration tests where the findings are filed away and eventually compromised. Or tests where only the high and medium findings are addressed and a pat on the back all round follows for a job well done. Some organisations would rather focus on policy creation and talk about ISO standards without ever taking their gap analysis to the next step of peeling back the hood and really examining how all their controls are running. In-fact, every security professional I've spoken to has similar stories. The reality is that some businesses would rather not know the truth.

The examples painted by companies like Sony highlight the point. By not shining a light on the way things run, they can continue to turn a blind eye to it. They can't be asked to fix a problem they know nothing about. They can't be held accountable if they’ve never having been told. So long as they never get owned that is. If it were not for the stream of NDAs and waivers we're forced to sign as price of entry into this field, the average information security professional could tell stories to the media that would cause the average Joe to tremble with rage as to how their information is protected.

The reality is that in Australia as it stands, beyond a largely unenforced Privacy legislation, no company has been fined to date for breaching their duty of care. There are minimal legal obligations to protect information and even less to notify in the event of a breach. Australia is lagging behind its Western counterparts over what our obligations are to protect information. And since the law is slow to respond, businesses will only pay the minimum required - and to be fair, rightly so.

IT Security is a cost, no matter how you slice it and any legislation which raises the cost of security has a direct impact on the cost of providing services. But at some point we need to start asking ourselves "how much is enough?" This is a line we can only guess - and even that line will blur between security consultants. I don't want to try and second guess people but if your choices come down to properly understanding the magnitude of the problem and making an informed decision of how to manage the risk, or burying your head in the sand and hoping the problem goes away, I know which option I'd choose. 



If there is one thing we've learned this year is that there is a long trail of companies behind us, littered like corpses that chose the latter. Don’t be a victim.

Your thoughts, and experiences, by way of comment are invited.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags securityPrincipal Consultants

3 Comments

Mark Jones

1

Good article mate. You are right in saying that all IS pros will have at least 1 story to share about an "ostrich" discussion (head in sand :) ). Let's hope it get better down the track.

Brad Ellis

2

Yet another good article Jarrod !

However, are businesses to blame for minimising their costs, when the legislation doesn't always relfect what the people expect ?

Like many other people, I was dumbfounded with the Australian Information Comissioner's report into the Sony Playstation matter. Two key questions arise for me:

1) If the entity responsible wasn't an Australian company, then does our privacy commission have any power ?

This question stems from the first sentence - "Sony Computer Entertainment Australia did not breach the privacy act ...". So was it Sony Computer Entertainment Australia or another entity that was responsible for the private information of Australian's affected ?

2) What controls did Sony have in place to prevent SQL injection attacks ?

It may be true for the Australian Information Commissioner to say "... that appropriate physical, network and communication security measures were in place,".

However, does this address the required security measures, if as reported on the eWeek Security Watch site - it was an SQL injection attack that was used to expose the data ?

In conclusion: There doesn't often seem to be a "cost" to getting it wrong - or, if there is a "cost", its the programmer or system administrator who gets the blame ! I remember a senior member of staff commenting to me that he felt a particular system administrator was responsible for a issue ... Looking back, I'd suggest that there were a lot more contribution factors than just the actions of a relatively low paid system administrator who I would argue was never given the training by the organisation required.

If investigations into breaches looked into the organisational culture that allows these issues to go unchecked, the results might be different.

However it would be a brave investigator to write the report as the odds of repeat business could be very low !

Jarrod Loidl

3

The Privacy Commissioner - AFAIK - has no power to impose penalties presently. This makes the entity "a toothless tiger" ultimately.

Brad, you are spot on. Most organisations fail in a number of ways. Taking the Sony example, when was the last time they conducted a penetration test? If they did have conducted, was SQL injection ever a finding - proving that they were aware of its existence before the breaches? And if so, how far back?

A number of organisations are choosing deliberately to NOT undertake penetration tests precisely for this reason, so they can intentionally claim ignorance of the problem. Now that sort of willful neglect is much harder to detect, let alone legislate against and to my thinking, a much scarier prospect.

- J.

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos Mobile Control

Data protection, policy compliance and device control for mobile devices

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.