Airing Out Security's Dirty LaundryFormer South Carolina security guru's testimony shows how lack of security culture can open an organization to threats
Last week a former security chief with the South Carolina Department of Revenue got to live out many a frustrated CISO's fantasy. He got to say, "I told you so."
More than a year after Scott Shealy was fed up enough with the lack of support for security within his department to quit, that same agency came forward to announce a breach of millions of state taxpayers. And last Thursday, Shealy testified in front of the South Carolina House committee about the departmental problems that led him to quit and likely contributed to the state's IRS becoming a target for hackers.
According to Shealy, he resigned from his job because he wasn't getting support to adequately perform his duties. He told legislators that his suggestions went unheard to install security measures, citing the department's failure to replace him for a full year as a sign of its lack of commitment to security.
"That guy got to have the meeting that every CISO who's ever been unsupported by their bosses wanted to have," says Mike Murray, managing partner for consulting firm MAD Security. "I have had jobs where I've wanted to be able to go in front of Congress and talk like that. It's heartbreaking for that guy and the people who lost their data, but, at the same time, I certainly have had times where I wish I could be that guy."
[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]
But if reports of the scene are true, it was hardly a satisfying experience for Shealy, who was said to have "sometimes quivered" during his testimony, according to Greenville Online. Nevertheless, his public post-breach airing of South Carolina's dirty laundry offered a number of key lessons to the infosec community at large, most notably about how important line-of-business support is to security endeavors.
"Until security finds a way to have meaningful discussions about risk and security effectiveness with business owners, it will be hard to get attention and funding for security programs," says Andrew Storms, director of security operations for nCircle. "South Carolina isn't the first organization to have this problem. 'It won't happen to us' is a nearly universal mind set that affects boardrooms and executives everywhere."
As universal as it is, when the alignment of culture between a security organization and the desires of the business are out of whack, it becomes nearly impossible to manage risk, Murray says.
"This guy couldn't be effective at doing his job because he couldn't affect change the way he wanted to," Murray says. "It wouldn't matter if he was the best CISO in the world or the worst. He still couldn't have gotten his job done because he and the security organization were out of alignment with the rest of the organization."
As beneficial as it is to hear publicly about other organizations experiencing the same kind of cultural misalignment that's usually only whispered about in trade-show hallways, there's a reason why Shealy's airing of the dirty laundry makes for such a rare occasion.
"Speaking publicly about your current or former client is a professional risk to your career and your perception as being the 'I-told-you-so-guy,'" says Gal Shpantzer, an information security professional working in the Washington, D.C., area. "You have to be very careful, especially in infosec, because if you're seen as breaching trust, you're never going to work anywhere again."
Shpantzer warns CISOs and security clients to tread carefully following a breach when the urge to burn bridges for the sake of speaking the last word hits.
"No. 1, don't do something stupid that will get you sued or perceived by others as someone who can't keep a secret. Be careful not to violate any contractual obligations," he says. "If you're dragged into committee and forced to submit a statement, that's different."
At the same time, security pros should be prepared for the inevitable fallout that comes from a breach, he says. Whether or not a security officer ever finds himself in the hot seat -- at a public testimony or just a closed-door board meeting -- it pays to keep records.
"Every security officer is a potential 'fall guy' once a breach occurs. So some CISOs keep what we call in the D.C. area a 'Washington Post file,'" Shpantzer says, explaining that this file should be ready for when the bad news about a breach at your company hits the pages of major news outlets. It's a time where many a boss will ask why a CISO didn't ask for resources or warn about the risks.
"You can say to your boss or a lawyer under subpoena that all the emails are archived, all the proposals are archived," he says, "but just to save you time, here's a DVD with information about every budgetary request and the risk justification for it for the last couple of years, along with presentations on similar examples in our sector paralleling the nature and amount of information at risk."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.