Ashley Madison self-assessments highlight security fears and failures

Internal assessments highlight core concerns for company executives

Last June, executives and business leaders at Avid Life Media (ALM) responded to an internal Q&A addressing their strengths and fears. This assessment was leaked as part of the documents released by Impact Team this week, and offers a unique insight into how their executives think.

In July, the group demanded that ALM halt operations on the Ashley Madison and Established Men websites, warning the company that failure to do so would result in the release of more than 30GB of compromised records. On Tuesday, Impact Team made good on their threat.

The questions below are from a document titled Critical Success Factors. The author of the assessment form is unknown, but the questions asked were answered by each of the company's top executives.

Spoiler alert: They think like a typical executive that's dealing with day-to-day operations at a large company. Security, while important, wasn't the top concern. The larger, operational issues were the priority. This isn't a shocking revelation. After all, security usually becomes a major factor for most organizations only after an incident has occurred.

However, there was a note in the document, with no name attached to it, that referenced an interesting set of problems the company faces. This suggests that on some levels the lack of security was understood, but based on the assessment form, there was a problem with resourcing.

"Notes: Large lack  security awareness here. Password management. Tenuous level of review on partnerships. Lack of review on security measures."

Again, the questions below are from the self-assessment form shown to Salted Hash earlier today. The answers listed were provided by the named executive. Instead of reproducing the entire form, which we're unable to do, Salted Hash has produced the answers most related to IT/InfoSec.

Will you please tell me, in whatever order they come to mind, those things that you see as critical success factors in your job at this time?

Chris Western, QA Manager, ALM: Having enough skilled people to do test effectively. Need QA specialists who love automation (technically focused), enthusiastic about quality and QA. Half of QA staff wants to move to Dev, the other half lacking technical skills to do automation. Our ability to turn asks around and execute quickly (fluid QA process).

Trevor Sykes, CTO, ALM: Protection of personal information. Because we're a private company, endear our resources to us. Risk of turnover/business continuity. Disgruntlement in teams, need to be careful. More audit capabilities might mitigate this. Traceability. Retention/Motivation/Security concern (bad internal actors). Formalize process of continuous improvement. Heroics still a big factor, codifying full SDLC.

Knowledge sharing across the organization (not doing well enough). Transparency to the business. Meaningful information (not noise) so that the business can have confidence and know what they are paying for.

Disconnects on strategic alignments at times,  opportunities are sometimes assumed to be absorbed without impact to commitments. Commitments sometimes made without discussion to the groups executing on the asks. Understanding of what is being displaced.

Noel Biderman, CEO, ALM: People. To execute on our vision, we're going to need to continue growth and talent acquisition/retention.

Keeping up with the jones.(sic) We've been really good as a company at building brand and marketing, I don't know that we've been the best at some of our technology (billing/mobile/etc). I think we need to balance this a bit, don't necessarily need to be the best but certainly keep up with the space.

We should put any and all efforts forward to defend against any security issues that can put our brand and 15 years of hard work at risk.

Amit Jethani, Director of Product Management, ALM: Smooth business process between product and technology management. As long as infidelity is taboo, we have a unique product. If it becomes acceptable/understood then our product will cease to be unique, then we'll be left with just a brand. Brand protection is very important.

Payment processors are small, and they have customer data. Fear of data leak outside our walls. No review process on security policy of our partners.

Legal action taken against us, for our team it's not a big concern. There is a risk that the products we design and techniques we use might be patented. Sometimes we may be aware of these patents, but we do not have any process in place to have situational awareness around patent issues. We try to avoid pure cloning, but it's not robust. We try to be loosely cognizant.

In what one, two or three areas would failure to perform well hurt you the most?

Amit Jethani, Director of Product Management, ALM: Smooth business process. Confidentiality and availability of sensitive data.

Trevor Sykes, CTO, ALM: Interpreting strategic objectives. If followed verbatim, we probably might have many more failures. The technology intuition that often gets rolled into the execution of business asks has been critical. These initiatives are often invisible to the business, yet have enabled our success. (eg: UTF-8, DDoS mitigation).

No official mandate on these tech initiatives, so there's friction. Implicitly expected but when competing initiatives come into play (or additional ad-hoc load). I am a single point of failure here, keep the path level and looking strategically at long term growth. Agility and good execution (seeing beyond the ask).

In what area would you hate to see something go wrong?

Trevor Sykes, CTO, ALM: Security. I would hate to see our systems hacked and/or the leak of personal information.

Noel Biderman, CEO, ALM: Data exfiltration, confidentiality of the data. An insider data breach would be very harmful. Have we done good enough a job vetting everyone, are we on top of it.

Kevin MacCall, VP Operations, ALM: Had trouble maintaining our production environment. If the cause was deemed to be actions/lack of actions on someone in operations, ball being dropped on something that we should have been responsible for. Underestimate technical impacts of changes from the business. There's a lack of security awareness across the organization.

What are your most critical goals and objectives?

Kevin MacCall, VP Operations, ALM: Security has become more critical. Everything we're doing is repeatable, automation, monitoring for visibility. Measurements of these goals subjective.

Trevor Sykes, CTO, ALM: Execute most critical impacts. Security (protecting everything we have), executing well. Process improvements on getting business asks done, increasing transparency and achieving shared understanding of how to get things done.

What are your three greatest business problems or obstacles?

Trevor Sykes, CTO, ALM: Flexibility. Hard to build 12-24 month horizon when the business needs/wants the flexibility the change their minds. Awareness of impacts of changing our minds.

Chris Western, QA Manager, ALM: Staffing. You can't build a quality QA team if they are just doing exploratory manual testing. No engagement. For some of the QA, the only reason they are here because they don't feel they can get a job somewhere else, their skill set has aged out. Fighting with the environments. Information silos.

Join the CSO newsletter!

Error: Please check your email address.

More about AvidQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts