Loading ...
Over at Slashdot, an anonymous reader was quoted as follows (in entirety):
“I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It’s truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?”
Any astute security practitioner at a publicly traded company — and I’m assuming that a Fortune 300 company is publicly traded — should know about Sarbanes-Oxley. One provision in SoX requires that there must be a channel to anonymously report violations of the law fraud directly to the board of directors. It certainly may be called into question the extent to which this reporting is truly anonymous, but there exists an avenue to “whistle-blow”.
In addition, there is a certain balancing act that occurs between the time the audit and risk reports are drafted and when the final reports issued. This is normal in any and every corporation for any type of audit, not just information security. I do not know of any company that outrightly accepts all comments and audit findings. The auditors present it in the worst possible light and the company presents it in the best case scenarios. There is some debate, some fixing of issues (or potential issues) and then a resolution of some type that is usually in between both extreme positions.
I wish this anonymous reader put their name to the article. Their statement above demonstrates their complete lack of understanding of the security process within a corporate environment from a political perspective.
4 Comments
I became aware of a post on Layer8 accusing me of being “professionally ignorant.” Unfortunately this individual will not allow people to comment on the Layer8 site unless one registers. So here is my reply to this blogger:
=============
I believe that naïveté and naiveness are synonyms and are both nouns, which means they are interchangeable.
Dictionary.com:
http://dictionary.reference.com/browse/Naiveness
——-
naiveness
noun
lack of sophistication or worldliness [syn: naivete] [ant: mundaneness]
WordNet® 3.0, © 2006 by Princeton University.
——-
Here’s Princeton’s direct URL which basically states the same thing as dictionary.com:
http://wordnet.princeton.edu/perl/webwn?o2=&o0=1&o7;=&o5;=&o1=1&o6;=&o4;=&o3;=&s=naiveness&i=0&h=0#c
——-
Perhaps a second post with a retraction is in order for your slander against me in regards to my “professional ignorance.”
Ken, Ken, Ken, I love ya (well maybe just like your blog). But I think you got a few things not quite right here. First, naivete’ - naiveness, who cares? That ain’t the problem. Second, I wanta agree with you, I really do. When I first read the post, I thought, ‘how many guys just like this guy have I seen?’ I think, completely without any emperical evidence, that most computer security guys, believe that their job is to set up the best computer security possible for their organization, company, whatever. WRONG. Their job is to give the CIO the security he wants. Period. This guy was so obviously one of them, my blood boiled. Then I read the post again. And while I really believe that this guy is one of them, there really isn’t proof. This guy could be working for Enron (well not Enron, but someone just like Enron, just not as bit, or ballsy), it really is possible. And nothing in the post helps me understand if he is off balance or is his firm. Both are pretty possible. Third, You’re a blogger, Buck up, Deal with it!
To the ‘Senior Security XXX’
First, I assume that ‘XXX’ does not mean that you are in the Porn industry. Second, “All so executives can look good and make their bonuses?” Where have you been? Were you born yesterday? Do you really think that those executives give you a pay check for some reason other than making them look good? GROW UP! It is called Capitalism. Worst economic model except for all the others tried. If you don’t like it, go somewhere Communist, or maybe to a church. Then write back and tell me how much better it is there. I would also be interested in knowing if their security pratices are any better.
Lots of strong (and negative) emotional responses going around about a very vague post on Slashdot, for a Friday no less! A lot of getting upset about opinions…
@Ken: “Their statement above demonstrates their complete lack of understanding of the security process within a corporate environment from a political perspective.”
Ok, this sentence is what really made me post here. Are you telling me we should all be interested in the political perspective of our organization’s upper levels? I’m not going to talk for every engineer or trench-worker, but I think many of them would rather NOT think about the political perspectives. That’s not a failure of some lofty ‘everyone must align with business’ mantra; just human nature and reality.
For another example, have you ever negotiated (or questioned!) the financial statements from the accounting side of the office? Or the results of a diehard QA engineer? I’m not saying that’s how a security audit should be, but I want to use that as an example of the mindset this engineer seems to adopt. Little different than many accountants and engineers I’ve known.
By the way, lack or presence of a real name does not constitute less of a point or validity to the topic at hand. Just sayin.
@David: “I think… that most computer security guys, believe that their job is to set up the best computer security possible for their organization, company, whatever. WRONG.”
This depends entirely on where you are in the organization. There are many, many engineers who want to be and are good at their job, but are not good about empathizing and understanding their CSO. They really feel that unless their slice of the pie is perfect, that it’s not good enough. That’s just how it is. And I can’t nor won’t fault anyone for that work and personal ethic. I’d go on this further, but I don’t want to ramble.
My point is that this is not unequivacably “wrong.” If this “senior” engineer reports to the CIO, then I’d say you could have a good point.
—
I’d curious to see which side most people fall in their own professional standing. I’d simply guess that people who agree with the engineer are non-managers, and those who are ensconced with anger are the managers and execs. A dirty generalization, but one I’d be willing to place some chips on.
In closing, two points. First, this is a lot of passion and discussion around things tangential (the professionalism of the poster and assumptions of the backstory) to the topic at hand (reporting insecure practices and audit negotiations) and these passions depend upon a) the engineer’s position in the company, and b) the company structure. Without knowing these two things, all we’re doing is arguing different arguments; apples vs oranges. Second, relax and have a good weekend.
@David
The “Senior Security XXX” author is caught in a dilemma in which he loses either way. Let’s assume that he works in an Enron and things are as bad as he describes: SOX provides a line to the board of directors for whistle-blowing. He should *know* that as a security professional — senior or not — working in a publicly traded company. If he doesn’t know this, he’s naive. If things are not corrupt like Enron but he’s describing them as such, then he doesn’t understand the political process. Again, naive. He loses either way.
@LonerVamp
You wrote, “Are you telling me we should all be interested in the political perspective of our organization’s upper levels?” At minimum, I believe that one should be concerned with the decisions that affect one’s role and function.
@both
Thanks for the engaging comments and making me smile. All the best…