In the wake of a breach of LinkedIn users' passwords that first came to light last week--after a subset of those passwords were uploaded to an online password-cracking forum--security pundits have been asking how much LinkedIn's business practices might have been at fault.
Multiple commentators have noted the absence of a chief security officer (CSO) or chief information security officer (CISO) on the LinkedIn organizational chart, with some inferring that the breach could thus be traced to a "lax security" attitude at the social network, because "no one was responsible for IT security," according to TechWireAsia.
[ Beef up your passwords. Read 7 Tips To Toughen Passwords. ]
But LinkedIn has defended its security posture and response to the breach, noting that after the password theft came to light early last week, by Thursday it had disabled the passwords on all accounts that were known to have been compromised by attackers. "At this time, there have been no reports of compromised LinkedIn accounts as a result of this password theft," according to a Tuesday LinkedIn blog post, which further noted that the company was "continuing to work with law enforcement as they investigate this crime."
LinkedIn said it's also already put stronger password protection in place. "The LinkedIn technology team has completed a long-planned transition from a password database system that hashed passwords--i.e. provided one layer of encoding--to a system that both hashes and salts the passwords--i.e. provides an extra layer of protection," according to the company's blog post. It also suggested that the company was pursuing further security enhancements, though declined to detail them.
In terms of security oversight, a story released Friday reported that two people at the company were responsible for security. But LinkedIn said that there had been a misunderstanding with the reporter, and later in the day reached out to correct the record, noting that David Henke, the company's senior VP of operations, is solely in charge of security. Henke's LinkedIn profile lists his responsibilities as being the company's "production operations, IT, data systems, security."
Since then, the company has been defending its security credentials, noting that "its "technology team includes world-class security experts," according to the company's Tuesday blog post. "This team includes Ganesh Krishnan, the company's security czar, who previously served as vice president and chief information security officer at Yahoo! Inc. He and the entire security function at LinkedIn reports to senior vice president of operations David Henke," whose LinkedIn profile names his responsibilities as overseeing the company's "production operations, IT, data systems, security." According to Krishnan's LinkedIn profile, meanwhile, he heads LinkedIn's technology center in India. In other words, LinkedIn's head of security, based in India, reports to its head of operations, who's based in California.
LinkedIn said that the absence of a CSO or CISO label on the org chart reflects only the company's job-naming conventions, rather than its security posture. "LinkedIn historically has limited C-level titles only to its chief executive officer and chief financial officer, so while Krishnan does not formally have the title of chief information security officer, that is the role he has played at the company since his hiring in 2010," according to the LinkedIn statement.
But should one employee be in charge of not just security operations, but also IT? Conversely, in the case of LinkedIn, does Krishnan--the company's security czar--report to a suitably senior member of the company?
In general, said Patricia Titus, VP and CISO of Symantec--after referencing "glass houses" and noting that the LinkedIn password breach could have happened to anyone--many businesses see security as "an expensive add-on" and end up not paying sufficient attention to it. "So they'll dual-hat their IT director and say he's also doing IT security. And in some organizations--I call it the pile-on--they also pile the chief privacy officer (CPO) responsibilities onto the CIO or CISO role."
"So you end up with three titles, and it makes them very thin when it comes to achieving success with any one of those responsibilities," said Titus, speaking by phone.
Social media companies often face these types of security challenges, simply because they grow so quickly. "If it takes five years to evolve your way up to a billion-dollar valuation, then it gives you time to ramp up your growth--yes, we'll hire a security person and put them in," said Tom Patterson, practice director for the commercial security division of consultancy CSC, via phone. "But if it happens overnight, it's going to take time to catch up."
Symantec's Titus, however, noted that many organizations do have a senior-level CSO or CISO, even if that's not their official job title. Other organizations, meanwhile, will typically have at least someone in the CIO's group who's in charge of security, "albeit it's often buried down three layers," she said. For reference, Titus said she reports directly to Symantec president and CEO Enrique Salem.
What's the problem with having a head of security who's buried inside the IT group? "Levels of responsibility, authority and funding are critical to the success of that [security] group," said Titus, who's previously served as the CISO of Unisys, as well as the Department of Homeland Security's Transportation Security Administration. In other words, the position--or lack thereof--of the security chief on the organizational chart can signal the seriousness that an organization is devoting to its security program.
Accordingly, in the wake of the LinkedIn breach, every CEO and board member should be asking not just who's in charge of their information security program, but whether they have sufficient power. For example, a survey commissioned by security vendor CORE Security and conducted by Research Now in April found that in many businesses, CEOs often don't communicate frequently with whoever's in charge of their security program. According to the 100 CEOs and 100 CSOs or other heads of security surveyed, in about one-third of companies, CEOs never receive updates on their company's security posture from the CISO, while in 27% of businesses, CEOs only get updates on a "somewhat regular" basis.
In other words, executives at many companies--not just LinkedIn, eHarmony, or Last.fm, all of which experienced password breaches that came to light last week--could stand to sharpen their security practices.
"In the past few days, I've had a lot of meetings with CEOs and mentioned the LinkedIn breach, and I say, if you were silly enough to reuse your password, attackers are combing through the records to see if the password also works for your bank," said CSC's Patterson. "Immediately, the meeting stops and these very high-profile executives leave the room and come back 20 minutes later and say, sorry, I had to change my bank password."
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)