I never thought I would have to write about this topic. I get that security is a practice built on a premise of secrecy. That knowledge of security operations and structure are paramount to the safe and successful execution of any security program. But I am increasingly running smack into situations that are making me re-think my long held beliefs that security is black & white. More and more it appears to be a spectrum between fixed points and that sometimes businesses need a little nudge to do the right thing.
Long-time readers of this blog will know that my politics are a bit to the right and leaning towards libertarian. I have always felt that government/industry intervention or regulation is something to be avoided. I have always believed that businesses will do the right thing given the opportunity; that the prevailing view of businesses being big and mean and only looking out for their bottom lines is, generally speaking, fiction. But over and over again I see businesses failing to do the right thing when it comes to data security, usually by just not doing anything in the first place. The result is that data, usually personally identifiable customer data, is allowed to walk out the door almost at will.
While there are numerous examples I can cite, I’m going to use my old fallback, TJX. TJX who, incidentally, has seen their stock value and sales increase since the huge data breach that was announced in January 2007. God forbid this company ever handles information security as a priority. Even after the largest breach in history, they apparently still are failing to address significant security vulnerabilities. This according to one of their own employees, Nick Benson (see Robert McMillan's article on CSOonline.com.)
Needless to say, Benson was fired for revealing this information. From what I understand he didn’t go into this trying to be a whistle-blower and as a student at the University of Kansas he may not have been even familiar with the corporate policies in place at most organizations that restrict employees from speaking with the media or in public about exactly these types of topics. But if TJX isn’t appropriately addressing their security problems after last year’s fiasco, and they have not been hit with market backlash on their stock price or sales, maybe it’s time for regulators to jump in and give them a kick in the ass.
The problem really boils down to this: if people on the inside know there is a problem that can cause “substantial harm or inconvenience” to customers were their privacy to be breached, and the company refuses to do anything about it, isn’t it in the best interests of society to have someone jump in and force the issue? Maybe. Maybe not. I’m still not sure…and then I remember that some of my financial data is probably flying around on the servers at TJX. Is yours?
As an IT professional who WAS a whistleblower on this very issue, and one who spent the last 3 years of my life dealing with the subsequent litigation I think I can speak to this issue with some authority. Not only from my experience when I was trying to get something done about many large security holes in a company that stores billions of credit card numbers, but also what I learned during the deposition and trial process during the course of the lawsuit. It was a real eye-opener into how large businesses (and financial institutions) look at security.
This is what I learned:
1) First and foremost – if the company won’t do anything about security problems, even major ones like what I saw in my situation –there is no outside regulatory agency that will take steps to rectify the problem. Not the Federal Trade Commission, Attorneys General at a state level, SEC (in the case of publicly traded companies), Congress, FBI, Treasury Department, VISA or the other card brands. For me, the only hope that I have currently of any agency doing anything about data security is the Public Companies Accounting Oversight Board (PCAOB) which can sanction accounting firms for not testing for state, federal and contractual compliance issues – which should include data security, successful PCI assessments etc. I tried every other avenue, including the courts, and got nowhere.
2) Because there is no real accountability from the outside, companies with poor ethical standards that flow down from the top level, not only don’t take security seriously, but have no compunction about lying to auditors, intimidating/harassing/firing staff that bring up problems, perhaps paying off PCI QSAs to falsify assessments (either that or it’s a don’t ask/don’t tell type of thing on the QSA side), just doing whatever it takes to get past the PCI and continue with the least amount of security possible.
3) VISA/MC do nothing to enforce PCI unless there is a big breach, then they just take steps to get as much $$$ as possible from the MERCHANTS. They do nothing as far as enforcement for prevention of breaches that I have seen. They seem to do little or nothing with service providers – i.e. the third party processors and banks. VISA/MC can’t function without them.
4) During my trial I watched no less than 8 employees of the defendant testify on the witness stand that my greatest crime was going outside the “chain of command” to escalate security problems, and the absolute worst thing I did was report them to the Office of Information Security. This was after working for months to try to get the problems solved within my “chain of command.” I found this astounding.
5) Fixing security problems can very often be costly (both monetarily and time-wise), and if a company has a culture that promotes managers because they are good at telling the higher ups what they want to hear, these problems are doomed to be buried.
6) Even upper level IT management can be exceptionally dense about security problems. For example, in April of 2005, I filed a Sarbanes-Oxley whistleblower complaint that not only covered the retaliation I was going through for reporting data security problems, but also giving details about the problems themselves. Within 45 days of this, an external PCI assessor did an audit and found the company to be non-compliant in 9 of the 12 domains of the assessment (including Domain 3 – failing to protect stored data – which is what I had reported on), and within about 60 days the Cardsystems data breach (another 3rd party processor) was front page news. However, even with all these big red flags pointing to security problems within his own department, when asked during depositions about what was done internally at the company to review data security after the Cardsystems data breach, the CIO stated that he thought he had “talked about it in the hall” with someone.
7) During discovery we were only able to obtain documentation on the QSA assessments from the outside vendor – Verisign. Up until then, the company swore up and down that they had always been 100% compliant with PCI, but we found out differently when we received what documentation we could get from the Verisign via subpoena. Those documents showed that the company was PCI compliant in 12/04, non-compliant in 5/05, then compliant again in 12/05. This raises many questions in my mind.
8) Even under federal subpoena, the company refused to provide auditing documents that showed anything other than the final results that showed the “good” assessments, citing they had “problems” doing so. In trial, the VP in charge of security stated that he figured they had “lost” scanning results when questioned about certain missing documents that the PCI board had asked for. He saw no problem with this.
I won’t go on any further, as I think just this information is sobering to any IT security professional.
As far as whistleblower laws in security – there are laws on the books right now, but there is no real enforcement being done. To me the only answer is regulation AND TRANSPARENCY – but no one wants to touch it, and I think the reason is that VISA/MC are driving the US economy right now – and never mind the huge debt the consumer is carrying, the federal government doesn’t want to rock the boat with something as inconvenient as data security.
This is from someone who has been in the belly of the beast for a long, long time. I posted a 7 step guide to whistleblower for IT professionals at http://whistlersear.wordpress.com.
Nell Walton, CISA, CISSP
(This may get posted twice - if so please delete the first - I was having IE problems - sorry)
Doesn't ethics play a role in whether or not to step up and stop something like this? Or is it just a fine line as to what a person perceives requires reporting?
Great insights Nell. Thanks for sharing those with us. I would agree that enforcement is often lax and complacency is a common theme when it comes to security.
So what can we do to this treated more seriously?
Bob - I don't see my comments, but I guess you can see them. Anyway - there is only one answer. Accountability. Until that is addressed, data security is going to continue to be a problem.
So I get that there are good people fighting the inside battles to get their companies to do the right thing. But to your own point, your business keeps taking steps that reduce its security posture over and over again. Is that in the best interest of your customers or your shareholders? Probably not.
I like your idea about getting security written into the CEO's compensation as an MBO. But isn't that essentially what SOX did? I really think we are saying the same thing but from different angles. I'm certainly not advocating that everyone run out and become a whistle-blower, but at some point there has to be a level of accountability injected into the management structure and maybe it will take regulation to do that. It's still the number one driver for security investment.
Bob
As an IT professional who WAS a whistleblower on this very issue, and one who spent the last 3 years of my life dealing with the subsequent litigation I think I can speak to this issue with some authority. Not only from my experience when I was trying to get something done about many large security holes in a company that stores billions of credit card numbers, but also what I learned during the deposition and trial process during the course of the lawsuit. It was a real eye-opener into how large businesses (and financial institutions) look at security.
This is what I learned:
1) First and foremost – if the company won’t do anything about security problems, even major ones like what I saw in my situation –there is no outside regulatory agency that will take steps to rectify the problem. Not the Federal Trade Commission, Attorneys General at a state level, SEC (in the case of publicly traded companies), Congress, FBI, Treasury Department, VISA or the other card brands. For me, the only hope that I have currently of any agency doing anything about data security is the Public Companies Accounting Oversight Board (PCAOB) which can sanction accounting firms for not testing for state, federal and contractual compliance issues – which should include data security, successful PCI assessments etc. I tried every other avenue, including the courts, and got nowhere.
2) Because there is no real accountability from the outside, companies with poor ethical standards that flow down from the top level, not only don’t take security seriously, but have no compunction about lying to auditors, intimidating/harassing/firing staff that bring up problems, perhaps paying off PCI QSAs to falsify assessments (either that or it’s a don’t ask/don’t tell type of thing on the QSA side), just doing whatever it takes to get past the PCI and continue with the least amount of security possible.
3) VISA/MC apparently do nothing to enforce PCI unless there is a big breach, then they just take steps to get as much $$$ as possible from the MERCHANTS. They seem to do little or nothing with service providers – i.e. the third party processors and banks. VISA/MC can’t function without them.
4) During my trial I watched no less than 8 employees of the defendant testify on the witness stand that my greatest crime was going outside the “chain of command” to escalate security problems, and the absolute worst thing I did was report them to the Office of Information Security. This was after working for months to try to get the problems solved within my “chain of command.” I found this astounding.
5) Fixing security problems can very often be costly (both monetarily and time-wise), and if a company has a culture that promotes managers because they are good at telling the higher ups what they want to hear, these problems are doomed to be buried.
6) Even upper level IT management can be exceptionally dense about security problems. For example, in April of 2005, I filed a Sarbanes-Oxley whistleblower complaint that not only covered the retaliation I was going through for reporting data security problems, but also giving details about the problems themselves. Within 45 days of this, an external PCI assessor did an audit and found the company to be non-compliant in 9 of the 12 domains of the assessment (including Domain 3 – failing to protect stored data – which is what I had reported on), and within about 60 days the Cardsystems data breach (another 3rd party processor) was front page news. However, even with all these big red flags pointing to security problems within his own department, when asked during depositions about what was done internally at the company to review data security after the Cardsystems data breach, the CIO stated that he thought he had “talked about it in the hall” with someone.
7) During discovery we were only able to obtain documentation on the QSA assessments from the outside vendor – Verisign. Up until then, the company swore up and down that they had always been 100% compliant with PCI, but we found out differently when we received what documentation we could get from the Verisign via subpoena. Those documents showed that the company was PCI compliant in 12/04, non-compliant in 5/05, then compliant again in 12/05. This raises many questions in my mind.
8) Even under federal subpoena, the company refused to provide auditing documents that showed anything other than the final results that showed the “good” assessments, citing they had “problems” doing so. In trial, the VP in charge of security stated that he figured they had “lost” scanning results when questioned about certain missing documents that the PCI board had asked for. He saw no problem with this.
I won’t go on any further, as I think just this information is sobering to any IT security professional.
As far as whistleblower laws in security – there are laws on the books right now, but there is no real enforcement being done. To me the only answer is regulation – but no one wants to touch it, and I think the reason is that VISA/MC are driving the US economy right now – and never mind the huge debt the consumer is carrying, the federal government doesn’t want to rock the boat with something as inconvenient as data security. And why the press doesn't do more with this I have NO IDEA.
This is from someone who has been inside the belly of the beast for a long, long time. I have written a whistleblower 101 guide for IT professionals - it's on my blog, listed below.
Nell Walton, CISA, CISSP
http://whistlersear.wordpress.com
I most whole heartedly disagree with your view, which I believe to be based on the fact that you are not on the inside actually mixing it up and doing the job. Companies repeatedly do what is best for the bottom line on a daily if not hourly basis. Security is not a concern unless they are forced to deal with it and then only as a benign tumor that is remove and forgotten. You are outside looking in and only get the corporate line since many are fearful of voicing the truths due to corporate backlash. Who is going to hire you if you come out and speak the truth in public? Instead we have to lurk around dark chat rooms, subscribe to virtual couch trips, and write anonymously like this response.
Integrity is black and white but security has many shades of gray. I see this everyday as my company chooses not to secure its end points, chooses not to write secure code but to get it out the door faster, chooses not to execute a proper disaster recovery and business continuity effort. I see choices made that are not really choices but institutionalized in the culture, daily that reduce the security posture of the company. I see the business avoiding integration with security since they can choose to do so. If you are on the inside, you would change your tune.
Whistleblowers should be protected and even though Mr. Benson did not really go the whistleblower route, the actions taken by TJX are typical of organizations who want to censor the message. Selling clothes is what they want to do, not deal with security. It is not a line item on the budget. TJX does not give a rats arse about security and is laughing all the way to the bank.
How many times do security professionals need to explain our plight before people actually start to listen? I know you can hear me but why don't you listen?
Should there be regulation? Maybe. What there needs to be are CEO's who actually get it and use security as a value multiplier. Put it in there bonus package as an MBO and then you will see action.
Security organizations are not built on secrecy. They are built on integrity. In most cases, this does not coincide with the bottom line.
On the Inside