“We Don’t Need Security.. We Collect Taxes”

March 21, 2012 by · Leave a Comment

If looking for a gold mine of sensitive information, the IRS appears to be the place to find it.  When individuals file their returns, the expectation is that it is well protected by the United States Government.  Unfortunately, the Government Accountability Office (GAO) has found a pattern of weakness in how the IRS protects our sensitive information.

Try this on for size.

“Around tax time in 2007, 2008, 2009, 2010, 2011 and now this year, the Government Accountability Office has identified similar, recurring weaknesses that could expose sensitive taxpayer information and agency financial data, according to archived GAO reports.”  – Aliya Sternstein, “IRS plagued by computer vulnerabilities five consecutive years” 3/19/2012 Nextgov

It seems the IRS doesn’t want to play by the same rules as other federal agencies who are required to institute mandatory information security programs.  They not only have failed to properly train personnel but have failed miserably in testing technical controls.  AND… this is the same problem year after year after year.

It’s even more disheartening to see continued patterns of security failings and still have IRS officials say they have “fully implemented a comprehensive security program.”   That just doesn’t jive.

I hope they fix these problems before they take on the enforcement of Obamacare.  That’s a disaster waiting to happen.

Photo credit:  Arvind Balaraman and freedigitalphotos.net

Filed Under: National InfoSec, Should Have Known Better · Tagged With: , , , , ,

Remember when….

January 21, 2011 by · Leave a Comment

Last night I was thinking about my start in the information security field.  I was working as a network analyst for an international company and was simply assigned “the firewall” for the relatively new Internet connectivity.  I quickly caught the security bug, attended a conference or two, read anything I could get my hands on and then presented a new idea of an “information security” function for my boss and his boss.

I thought I was being diligent in explaining the security triad – Confidentiality, Integrity, and Availability when I hit a road block.  The Director at the time said “Availability isn’t a security issue at all… you don’t know what you’re talking about.”   Perhaps I could have talked about Denial of Service attacks or viruses preventing employees from accessing resources needed to do their job.  I could have talked about lost revenue, customers going with alternative products, or other examples of how “availability” could impact the business bottom line but, I didn’t have the skills at the time to counter her argument.   Security remained an “other duties as assigned function” for the rest of my tenure there.

Revisiting with the organization after 18 years I found their security posture to have matured dramatically since then (along with my business, communication and security skills).  Good for them!  They have a fantastic security team that has the ear of senior leadership.

What’s funny is after 18 years, I will still come across similar failures in understanding.  For instance, at one organization their primary servers filled with customer data, including personally identifying information, sat outside of their firewalls.  The executive leadership at the time didn’t think that was a big deal because “the servers are secure”.   Another time, a plan to eliminate social security numbers that weren’t needed on a server was met with near hostility and a comment of “it’s protected by a firewall anyway”.

Examples like this continue to plague the information security field.  Is this an executive problem or a problem with CISO’s not educating or communicating the issues in a way that is understood by “business-minded” folks?  If we can’t relate the threat in terms that are used in other business disciplines, in 18 years, we’ll be hearing the same stories repeated by the next generation of security professionals.

Filed Under: Awareness and Education, Business and Security · Tagged With: , ,

A Good Profession

November 6, 2009 by · Leave a Comment

CSOOnline ran a recent article entitled “7 Ways to Stay Happy in a Miserable Profession” which listed items from a Mike Rothman presentation “The Pursuit of Security Happyness.”    No doubt the information security profession requires a certain level of mental toughness but I just can’t buy into some of the suggestions made in the article.

Accepting that we can’t win

I’m not sure a defeatist attitude is all that apprpriate for information security professionals.  You’ll always run into difficult budgets, management and staff that are trying to buck the system, and a threat from bad guys who communicate better than the good guys.  Part of being happy and successful in the information security profession is having passion for what you do.  It is up to the information security leader to share that passion, to be the evangelist of information protection, and to “sell” information security by demonstrating how it enables business.   The article certainly is right in stating that “YOU define personal success”, however, your attitude goes a long way.  Nobody will buy into your security agenda if you start off with a sulk in the corner attitude.

Focus only on what you CAN control

Absolutely.  However, you can’t ignore senior management, budget, user stupidity, DBA “dimwits”, office politics and the host of other issues listed in the article that are part of the environment we work in.  The security leader needs to shape and influence these areas, not just shrug the shoulders and say “I can’t do anything about it anyway”.  We need to excel at the things we control while working to influence behavior and decisions outside the coverage of our umbrella.

Look for NOT normal

Information is essential to successful security programs.  The concept of looking for unusual activity isn’t anything new but it is something that isn’t done very well in many organizations.  The better you get at looking for the unusual events, the better you get at stopping unauthorized disclosure and data theft.

Communicate the good and the bad

It’s all about setting expectations and Rothman hits the nail on the head with this one.  Openness and clarity are fundamental components of a good information security program.  It builds credibility with senior management and helps influence decisions when done properly.

Roll with the punches

Good days and bad days are part of the deal in any field, not just this one.  Information security is a tough field to play in and if you can’t maintain a professional attitude during the tough times, you’re probably in the wrong field anyway.  It’s not about being addicted to controlling what you can’t control as Rothman suggests.  It’s about doing the right thing.   At the end of the day, that’s what matters if you are intrinsically motivated.

Cover thy behind

Documenting everything is usually a good practice anyway.  If you build relationships rather than throwing your arms up in defeat then this simply becomes part of doing business.  It’s never personal.  It’s providing professional service to the business and keeping track of decisions so that everyone is on the same page.   If you can’t operate professionally and find yourself having to CYA on everything you do, it’s time to find a new job anyway.

Know thyself

I’ve never seen a headstone with these word:  “If I’d only spent more time at work”.   I’m not a believer in the separate work life, home life, play life, school life.   It’s all life and it’s yours.  Decide what is important to you and maintain a healthy balance.

————————-

The bottom line is information security is a difficult profession that constantly changes but that is what makes it challenging and fun.   It’s never going to be filled with glory and the only headlines tend to be negative.   The quickest way to make this profession miserable is to become a defeatist and apologist, hunkering down in a corner with an attitude of “I can’t do anything anyway”.  You don’t fight cynics and grouches by being cynical and grouchy.

An information security leader and a good information security program becomes fun when it is based around passion, humility, openness, clarity and agility.   We don’t need more negative security professionals.   Have fun.  Share your knowledge and keep trying to influence others to build a positive security culture.

Filed Under: Business and Security · Tagged With: