Personal Responsibility in Information Security
Recently Nick Selby posted on FudSec his article on Showing the Oblomovs the Door. For those who care, an Oblomov or Oblomovism is considered a lazy or apathetic person or belief. The blog post claims that information security professionals are “well-trained, well-intentioned” but “reduced [to] a series of relentless box-ticking” due to being “saddled with compliance management.”
The blog post further claims:
The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk. That is a fiduciary breach of CEO responsibility to shareholders. In addition to firing your ass, this should also be a floggable offense.
I agree one should use compliance as a guideline but manage it with respect to the business process. I disagree with the fiduciary statement on grounds that one cannot claim a breach based on sparse case study and singularity statements. The writer says this to bring grandeur to their claim.
The important part of this statement is that we are focused on the individual company here and their personal responsibility. Remember, if you ever want to get something done don’t pass the buck.
The author, frustrated with the current implementation of compliance, states, “I stomped away from trying to influence security as an analyst because compliance … has managed to suck every ounce of oxygen from the room that is the security industry.”
Let’s just remember that history has shown that in the absence of legislation there exists a downward spiral of corporate responsibility towards protection of customer/consumer information and the well being of others. To support this I point to the moments of punctuated equilibrium that lead to things such as the Food and Drug Administration (FDA), the Securities and Exchange Commission (SEC), marginally improved ecological laws in China, and the current global financial crisis — to name a few.
Let’s also take a moment to remember that regulatory compliance has been raising the bar of information security since 1999, starting with GLBA, then with HIPAA and SOX, and finally with PCI DSS. Is it because PCI DSS impacts most all business verticals on a global basis that it receives the most abuse from those who feel burned out?
Might I remind you that without such efforts the number of data breaches would be higher, much higher, than we see now because people find it easier to blame someone or something else rather than take personal responsibility for their own work. The Information Security Management Handbook, by Tipton and Krause, has a section on diffusion of responsibility.
People behave differently based on the perception of being part of a group as opposed to being an individual. It has been commonly observed that people tend to work less in a group than as individuals when only group output is measured. People, in addition, tend to feel less responsibility in a group than as a single individual. The bigger the group, the lower the felt sense of responsibility. Social scientists call this diffusion of responsibility and the phenomenon is commonly observed across all cultures.
I believe that instead of blaming others, we as information security professionals need to become an agent of change starting with ourselves and our current environment and expanding outwards.
The blog then claims:
At this writing it’s unclear whether Black Hat and DefCon demonstrations will include the PCI-compliant account skimmers we’re heard of, but the fact that they’re out there stands testament to the Pyrrhic victory that is the PCI Data Security Standard.
Please remember, the PCI DSS is meant to protect against the electronic and paper theft of payment card data. It is not meant in any way to prevent credit card skimming. If you wish to raise the issue of skimming, please use the correct approach which is to clarify the need for a more secure payment card. That of course gives way to the larger question of what is proper capital allocation and the conundrum of offline transactions and backwards compatibility.
I agree, sadly, with the blog post when it says, “PCI is not the minimum standard, it’s the maximum effort that many organizations make.” The question I have is, based on historical precedent (see above): are we better off with or without a carrot-and-stick approach? What impact has HIPAA had on the security of health care records vs PCI on the payment card industry? In which area do we see more movement?
Certainly, movement does not always imply movement in the correct direction, but I would claim that basic items such as PCI DSS Requirement 3.2 which tells merchants and service providers to not store sensitive authentication date post-authorization has done wonders to the security of our payment card data. How better to secure the data than to remove it in the first place? We are seeing trends in this direction more and more in this industry and others.
But isn’t it better to have a minimum standard than none? What if the minimum was for companies to do nothing?
Jeremiah Grossman stated, “nothing did more to build webappsec awareness than pci-dss. Now we need something to improve webappsec security.” I could not agree more, but let’s please remember that without awareness of a problem you cannot bring clarity or correction. People love to lambaste and transfer responsibility to others, all the while stomping away from personal responsibility.
If your company or those around you fail to see the forest through the trees of ‘industry best practices’ when I wonder if they are fit to run the information security department. Those who complain that ‘compliance’ is the problem are transferring responsibility to industry standards instead of working to secure their own infrastructure.
Do such standards need correction and evolution to mirror the evolving threat of attackers and the continued evolution of information security practices and technology? Certainly! I support Mr. Selby in his goal to drive higher standards and move towards risk management, but let’s do so by taking individual responsibility for our own management of risk.
Mr. Selby claims, “all this compliance stuff is preventing us from addressing risk and performing, you know, security.” Why? Did someone tell you that you cannot secure your data? Did someone tell you that by using proper the proper risk management practices you claim work so well that you cannot pass the “minimum standard”? I support you in questioning and ferreting out anyone who makes such statements. For the rest of the unwashed masses, we need standards.
Mr. Selby ends his rant with a statement everyone should agree with, “Compliance – the state of being – is achieved as a by-product of well-managed risk, not through a relentless ticking of boxes”, which is then followed by high-level statements of positive thinking. The problem is that we need some tactical examples and guidelines to match the ever increasingly vague strategic statements. GLBA says to safeguard customer information, but how? And left to their own devices most companies will chose the cheapest possible way to implement optics of compliance.
I argue, that the PCI DSS has given concrete statements to how one secure their infrastructure, while giving the flexibility one needs to adjust for business and risk management (e.g., compensating controls, wireless and end-t0-end encryption guidelines.)
The problem lies not with our industry “best practices” but with the diffusion of responsibility that happens throughout every company. Let’s reference back to that Information Security Management Handbook article:
The effects of de-individualization and individualization are real and play a role in how users perceive their role in an information security awareness program. In the credit card processing call center example, de-individualization can encourage theft, carelessness, and loss of productivity.
I’d like to stop the blame game and see everyone start at home, transforming their company and being neighborly enough to share the information and results with others. Revolution has often come from emerging evolution of ideas and conversations. I commend Mr. Selby for the conversation, but wish it involved a greater focus on personal responsibility.
Take responsibility for your own security, risk management, and data protection. Start today.