Culture

My dinner with Andre

Jon Oltsik

Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.

See full bio

Jon Oltsik

Sept. 14, 2005 10:26 a.m. PT

3 min read

As an industry analyst who covers information security, I've been telling people for years that "security is far worse than you think." Sometimes people accuse me of overstating how dire the situation really is. Allow me to support my position by highlighting a recent meeting I had with a CSO I'll call Andre. After my dinner with Andre, I felt like I was being overly optimistic.

Andre works at a pretty big firm and was hired to beef up security and inject security into the culture of the company. Pretty good recruiting message for a career security professional. If you didn't already know, security professionals actually have their own code of ethics, sort of like the Hippocratic Oath that physicians take. To one of these folks, fixing security is more than a job; it is a mission.

It wasn't long into his new job that Andre realized that the firm's information security processes and technologies were badly broken. To summarize the depths of his plight:

1. Nearly every IT staffer has administrative passwords for loads of systems and this oversight had been the status quo for a number of years. This means that any IT administrator could touch any system and anonymously gain access to confidential data.

2. The company transacted business with partners using standard FTP and confidential data was transmitted in cleartext. In simple terms, breaking into FTP is well understood in the black hat community and cleartext communication provides carte blanche to private (and regulated) data to anyone with a network sniffer.

3. The firm was committed to outsourcing pieces of the business but wasn't actively deleting old user accounts. In other words, many ex-employees still had access to the network. The implication here is that loads of former workers with a potential axe to grind still had access to their old employer's systems. Yikes!

4. Physical security was just as bad. The CSO snuck into the building one night with a digital camera and took pictures of loads of confidential documents. You don't need to go to MIT to perpetrate this type of crime.

Andre felt like he'd done his job and proudly reported his findings to upper management. Rather than act to adhere to compliance regulations or improve corporate governanace, they seemed to resent the bad news and simply swept it under the rug.

Not surprisingly, Andre, is quite disillusioned and sees his current job as a dead end. Meanwhile the management team continues to make a fool's bet the bad guys won't find the multitude of open doors and windows. This is bound to get ugly.

When I tell stories like this to other security professionals they respond with looks of acknowledgement and despair. Alas, Andre's dilemma is not unique. I hear stories like this one constantly.

Will things ever improve? Maybe, but it won't be pretty. Either more companies get breached and the laggards finally respond or Washington gets really tough with both new regulations and enforcement. Either way we are likely to see a lot more frustrated CSOs and costly security breaches in the short term.