Security Leaders Give Up

Thursday, April 12, 2012

T.H. Enders


In breaking news today, information security experts and leaders around the world give up. In uncanny synchronicity, CISOs, CSOs, security auditors, and security consultants up and walked off their jobs.

"It's just so dirty," Niel Iton, CISO, said yesterday morning as he left his information security job as a consultant for the United Nations.

The move appears to be organized but many sources indicate that it's not. There seems to be no central reason such as a new law or compliance objective that they are reacting to. Apparently they all just got fed up at the same time. It appears that they just wanted out of the security industry.

While security leaders and experts have left their jobs in record numbers this morning, it does not appear to be unanimous. The quitters make up only 99% of the professional information security workforce. Specifically, it appears that the quitters are only the ones who don't think security is just about protecting business interests. By the estimate of many business analysts, that means despite being 99% of the workforce, they make up less than 1% of business value.

"If I have to hear one more time that security is about making business succeed I think I'll throw up," said Courtney King, ex-CSO of a nation-wide bank.

Companies have already started responding and compensating for the loss. Ernest Reaves, CEO of Maxilox, a cloud company specializing in the offsite back-up of personal data, explained that they took immediate action.

"After the walk-out, we quickly purchased another firewall to put in front of the first one, secured a license for a second anti-virus product to have 2-factor authentication on the desktops, and picked up a few hundred mousepads that remind people to think before they click on anything suspicious. We've got it handled. No hackers getting in here! So let those quitters just walk away."

Business analysts all seem to agree that it is a good thing that these people have finally left and are no longer a thorn in the sides of executives trying to make another buck. Some are nothing short of ecstatic about the sudden move.

"Good! I'm glad those idiots are gone! They're a friggin costly albatross to businesses anyway," said Sean O'Neil, long time Business Analyst and host of the network television show 'Money Talks'.

"And don't they know they wouldn't have jobs if information security wasn't about business? It's the businesses who hired them and gave them their jobs. It's the businesses who pay for the suits on their backs. It's the businesses that pay them their salaries so they can buy gas for their cars so they can get to work! So of course they're working for the business. If information security isn't about meeting company business objectives what is?"

Meanwhile, of the 1% of security leaders and professionals who did not up and leave today, there's a lot of confusion. Stephen Usher, President and CEO of the one-man Tiger Team, Heavy Pusher Security Consulting is angered over the walk-out.

"Don't they get it?! The business of security is business. Whether it's about protecting the private information of your users so your company can sell it to advertisers, or protecting the copyright of pictures and media that your users upload to your servers so your company can claim ownership of it for reuse or resale, or providing strong encryption on communications intercepted from your fellow citizens so they remain private for police use only, or even if it's just to maintain state secrets of spending tax payer money to defend corporate oil interests overseas, our priority is to support the business. If you can't get in bed with your company's secret mission statement objectives then you have no business being the leader of their information security."

However it might be exactly that which is the problem. Chatter is beginning to rise through tweets and blog posts regarding the walk-out and it appears the problem is business. Posters with #InfoSecQuitters are saying that they are cajoled by some security professionals because they choose not to put business first.

One blogger going by the name of Code King Security writes:

"You know how in that movie where an extraterrestrial alien fleet shows up to take over the Earth and there's that one human guy who sides with the invaders? He gives them the knowledge or help to persecute other humans in exchange for gifts and riches? Well, I don't want to be that person. I, for one, do not welcome our profit-minded overlords. I'm not like that 1% who thinks only in terms of using my security knowledge just to support my company's mission statement. I'm there to use security to make sure business is safe for everyone we are doing business with. Not at anyone's expense."

Indeed, many more bloggers are saying the same thing as Code King Security. Sara Hart is another ex-CISO who tweets, "The business of security is not business, it's security." Additionally she tweets her opinion of the remaining 1%, "Sharks should only protect evil hideouts in movies."

In her follow-up blog post, she writes, "Those pathetic risk and security professionals who are trying to tell us that security is about following a company's business plan or mission statement are just filthy mercenaries out to make more money for their conglomerates and cabals. The security product vendors are the worst. This whole industry is about hawking more of the same crap that does more of the same nothing. The whole security industry has become about profit. Making it or defending how it's made. They disgust me and I want no part of it."

It's hard to say at this point what the repercussions will be from this worldwide walk-out. Political pundits, security analysts, and the Department of Homeland Security are still trying to get a clear picture of the breadth of the problem.

One morning show pundit, Ivan Turnkey gave his take. "Nobody knows what will happen when the only security professionals left are the ones who think only in terms of assets and business objectives. But it's clear that the losers will be the people. Without security leaders in organizations whose priority is the users, customers, and employees that make up the business, security is only going to get a whole lot worse for us all. If you think EULAs and privacy practices of businesses is bad now, just wait and see what happens when the people who fight for the little bit of security we've got now go away and are replaced by the 1% who only want to defend business interests."

Watch #InfoSecQuitters for minute by minute coverage as events unfold. Or take part and sound your opinion.

Possibly Related Articles:
Enterprise Security Policy
Information Security
Enterprise Security Leadership Chief Information Officer Security Expert Information Security Infosec Professional InfosecQuitter
Post Rating I Like this!
Tom Coats Drat, you caught me again, but isn't it time to put April Fools to bed for another year?
Pete Herzog Wow! Wicked use of sarcasm! Great job! Message received loud and clear! I hope others do as well ("the 1%").
Sal Tuzzo I would expect more than 4 people to like this article by now. I have been in those meetings. Companies are not interested in real security. They are interested in making sure their customers believe they are secure. "Risk management" a business point of view. If we can send people into space we can surely create real security "if desired".
Michael Johnson Yes, I've also clicked the 'like button' just now.
Isn't infosec supposed to involve doing whatever it takes to adequately protect digital assets, regardless of whatever business objectives or mission statement? The responsibility extends way beyond the business to customers, clients, suppliers, possibly even the general public.
The executives might not even consider the potential for a security breach capable of putting them out of business, or seriously disrupting operations. Maybe they don't understand the trade-offs between productivity and security - the 'Bring Your Own Device' hype is just one example.
Tom Coats OK Point made, and yes it is funny, but most us are not God, and we get paid not to save the world (Though we all do our best) but to advise managers. We make sure that if things go all pear-shaped that nobody can say they didn't know. Eighty percent of the time the managers I deal with do not have enough guts to disagree with me. But those that are willing to do the numbers and take the risk, more power to them. I just assure transparency. Boy does that scare most of them. In the end if you are not protecting business interests, what are they paying you for.
Pete Herzog Tom, I'm a fan of this article because I've been trying to get security people to understand for a long time now that we're there to protect assets. That's not the same as business interests (eg. ) or the mission statement (eg. ) in which such cases use, abuse, or ignore the safety and security of assets, especially assets they have been given (like private and personal identifying information of customers) to pursue new, other, different business. I think it doesn't matter what they're paying you for because you need to decide what's best for the security of the assets- you're the expert- you're the leader of the security. Many times they want or ask for things that are unreasonable, hurt others around them or are careless of other people, including their own employees (sweatshops). So you need to decide how best to protect those assets. Even if it's above mission statements and executive business interests. Too many people just "doing their jobs" can contribute to a whole lot of hurt for others. Could they fire you? Sure. But you have to think about why you're doing what you do- to earn a buck even at the expense of others or to create, build, and help. A short example: business interest might be to keep customer CC numbers and info in a database for their next purchases but asset security is that you don't do that. So, like so many other challenges at the office, find a way to still make business while primarily protecting the security of your assets (customers).
Tom Coats Pete, We are almost on the same wavelength but not quite. No matter what my personal motivations are I am not in a position to make management decisions. I only advise and I advise in the best interest of the person or group that pays me.

For the sake of my soul I work hard to make the advise line up with my view of who owns what and what is morally defensible but in the end I am not management, someday I might be and then I will think differently.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.