Application Security // Database Security
01:35 AM
Connect Directly

Airing Out Security's Dirty Laundry

Former South Carolina security guru's testimony shows how lack of security culture can open an organization to threats

Last week a former security chief with the South Carolina Department of Revenue got to live out many a frustrated CISO's fantasy. He got to say, "I told you so."

More than a year after Scott Shealy was fed up enough with the lack of support for security within his department to quit, that same agency came forward to announce a breach of millions of state taxpayers. And last Thursday, Shealy testified in front of the South Carolina House committee about the departmental problems that led him to quit and likely contributed to the state's IRS becoming a target for hackers.

According to Shealy, he resigned from his job because he wasn't getting support to adequately perform his duties. He told legislators that his suggestions went unheard to install security measures, citing the department's failure to replace him for a full year as a sign of its lack of commitment to security.

"That guy got to have the meeting that every CISO who's ever been unsupported by their bosses wanted to have," says Mike Murray, managing partner for consulting firm MAD Security. "I have had jobs where I've wanted to be able to go in front of Congress and talk like that. It's heartbreaking for that guy and the people who lost their data, but, at the same time, I certainly have had times where I wish I could be that guy."

[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]

But if reports of the scene are true, it was hardly a satisfying experience for Shealy, who was said to have "sometimes quivered" during his testimony, according to Greenville Online. Nevertheless, his public post-breach airing of South Carolina's dirty laundry offered a number of key lessons to the infosec community at large, most notably about how important line-of-business support is to security endeavors.

"Until security finds a way to have meaningful discussions about risk and security effectiveness with business owners, it will be hard to get attention and funding for security programs," says Andrew Storms, director of security operations for nCircle. "South Carolina isn't the first organization to have this problem. 'It won't happen to us' is a nearly universal mind set that affects boardrooms and executives everywhere."

As universal as it is, when the alignment of culture between a security organization and the desires of the business are out of whack, it becomes nearly impossible to manage risk, Murray says.

"This guy couldn't be effective at doing his job because he couldn't affect change the way he wanted to," Murray says. "It wouldn't matter if he was the best CISO in the world or the worst. He still couldn't have gotten his job done because he and the security organization were out of alignment with the rest of the organization."

As beneficial as it is to hear publicly about other organizations experiencing the same kind of cultural misalignment that's usually only whispered about in trade-show hallways, there's a reason why Shealy's airing of the dirty laundry makes for such a rare occasion.

"Speaking publicly about your current or former client is a professional risk to your career and your perception as being the 'I-told-you-so-guy,'" says Gal Shpantzer, an information security professional working in the Washington, D.C., area. "You have to be very careful, especially in infosec, because if you're seen as breaching trust, you're never going to work anywhere again."

Shpantzer warns CISOs and security clients to tread carefully following a breach when the urge to burn bridges for the sake of speaking the last word hits.

"No. 1, don't do something stupid that will get you sued or perceived by others as someone who can't keep a secret. Be careful not to violate any contractual obligations," he says. "If you're dragged into committee and forced to submit a statement, that's different."

At the same time, security pros should be prepared for the inevitable fallout that comes from a breach, he says. Whether or not a security officer ever finds himself in the hot seat -- at a public testimony or just a closed-door board meeting -- it pays to keep records.

"Every security officer is a potential 'fall guy' once a breach occurs. So some CISOs keep what we call in the D.C. area a 'Washington Post file,'" Shpantzer says, explaining that this file should be ready for when the bad news about a breach at your company hits the pages of major news outlets. It's a time where many a boss will ask why a CISO didn't ask for resources or warn about the risks.

"You can say to your boss or a lawyer under subpoena that all the emails are archived, all the proposals are archived," he says, "but just to save you time, here's a DVD with information about every budgetary request and the risk justification for it for the last couple of years, along with presentations on similar examples in our sector paralleling the nature and amount of information at risk."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/9/2013 | 4:15:57 PM
re: Airing Out Security's Dirty Laundry
When CISO's are not getting the support they need to implement effective security, then just imagine what is happening to MSSP's - they're being set up as the fall guys when the inevitable massive breach occurs "during their watch". The takeaway is: yes, you better have your "due diligence" Washington Post files in order for when that subpoena shows up at your door, so that your lawyers will have a prayer at saving your neck. Better have your professional liability insurance up to date as well. Are we having fun yet?
User Rank: Strategist
1/9/2013 | 3:37:51 PM
re: Airing Out Security's Dirty Laundry
Being vindicated is one thing, but being prepared for a breach & fallout is wise advice (Shpantzer).

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-09
Heap-based buffer overflow in the xjpegls.dll (aka JLS, JPEG-LS, or JPEG lossless) format plugin in XnView 1.99 and 1.99.1 allows remote attackers to execute arbitrary code via a crafted JLS image file.

Published: 2014-07-09
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
Adobe Flash Player before and 14.x before on Windows and OS X and before on Linux, Adobe AIR before on Android, Adobe AIR SDK before, and Adobe AIR SDK & Compiler before allow attackers to bypass intended access restrictions via uns...

Published: 2014-07-09
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.