[ISN] Living in Glass Houses – #InfoSec Industry’s Culture of Shaming

http://blog.wh1t3rabbit.net/2013/10/living-in-glass-houses-infosec.html By Rafal Los Following the Wh1t3 Rabbit October 7, 2013 If you’re anything like me and like to keep up on the industry, you’ve no doubt been overloaded with news on the apparently epic Adobe hack. As some of you may no doubt point out I’m no apologist for companies who fail to take security seriously, and I’ve made my share of pokes and jokes at Adobe’s expense over the years. There is, however, a line I hold myself and others who wish to be known as professionals to. That line is personal hit-pieces where you’re targeting a particular individual for the sins of the collective. This is commonly known as bulls***. That being said, I took serious offense when I saw the original version of this post (I wish I had taken a screen capture, but it was quite distasteful) from Richi Jennings on Computerworld. When I read the original which basically sought to crucify Brad Arkin for Adobe being hacked I got upset. So upset that I took to Twitter and let Richi know it, and I can’t say I was too polite either… After a few others laid into the author, the post was dramatically changed, the picture of Brad with the overlay “Fire Me” came down, and there was an apology. Of course, if you want to see the sorts of trolls that apparently read that column, look no further than the comments…yikes. Anyway… let me get to the point. There are some points I think we largely still miss as a security industry, judging by the interesting and colorful discussion about firing CISOs in the wake of a breach we had earlier in the day this post was written. First, security is hard. Those who lament the failures of security professionals on the defensive from their offense armchairs (aka penetration testers) need to play defense for a while. You’ll get an attitude adjustment, I promise. I came from a small company penetration tester mentality when I joined a massive global conglomerate back in early 2000’s – and let me tell you that attitude adjustment was harsh. My “why can’t you just fix this” was met with retort like “because we have budget to do one of two things – release the product and make the company money and keep our jobs, or hope to add security” over and over. I eventually learned the harsh lesson, luckily before I was relieved of duty. […]