Disciplining IT Security Pros for BreachesHolding CIOs, CISOs Accountable for Hacks on Their Watch Is Rare
With all the recent news coverage about breaches, you rarely, if ever, read about an IT or IT security manager being disciplined in any fashion, let alone fired.
Executives - whether agency heads or corporate CEOs - might be disciplining technology managers responsible for IT security after a breach, but word about their punishments doesn't leak out because of laws protecting employees' privacy. It's doubtful that's the case, especially in government, where ridding an employee isn't easy, as pointed out by Paul Kurtz, a former senior director at the National Security Council's Office of Cyberspace Security, in one of the first interviews we conducted shortly after launching GovInfoSecurity.com 2Â½ years ago (see Heads Must Roll When IT Security is Compromised).
So long as the head of IT can say 'It happens to everybody, even the government and security vendors,' it will be difficult to blame them for not taking appropriate measures.
"That has always been a problem for taxpayers; they don't see accountability, they don't see people who have made mistakes relieved of their duties and having to go out and find another job," said Kurtz, managing partner for Good Harbor Consulting.
But when a breach occurs, should CIOs, CISOs and other IT managers be held accountable? Most publicized breaches involve an outsider or a wayward insider gaining entry to information they have no right to access. In the Texas comptroller office case, the sin involved allowing unencrypted personally identifiable information to remain exposed on a server for up to a year, an oversight that easily could have been mitigated (see Texas Comptroller's Breach Lasted About a Year). Heads rolled, but not that of Combs, an elected official who expressed deep sorrow and took full responsibility for the breach, and who doesn't face the voters again till 2014. (Will the breach hurt Combs' chances for reelection if she should run? Voters - or corporate boards of directors, for that matter - have shown no inclination to hold top executives accountable for breaches. Perhaps attitudes will change three years hence.)
The Blame GameWhen hackers break into systems, should CIOs and CISOs be blamed? After all, organizations with some of the most sophisticated cyber defenses - the U.S. military ( Hackers Breach Most Sensitive Military Systems) and security maker RSA (see RSA Says Hackers Take Aim At Its SecurID Products), to name just two - have been breached. Many, but not all, top security experts contend that bad guys will get into systems.
"The climate the press has created is that hackers are somehow supernatural and can't be stopped; everybody falls victim," says Gene Spafford, a Purdue University computer professor and executive director of its Center for Education and Research in Information Assurance and Security. "So long as the head of IT can say 'It happens to everybody, even the government and security vendors,' it will be difficult to blame them for not taking appropriate measures."
(Spaf is right, the happens-to-everybody excuse has taken hold, but it's not just the media that's conveying that message; it's what we're hearing from most IT security pros we speak to.)
Spafford said organizations can defend against most breaches, but that would require some fundamental changes in architecture and connectivity that governments and corporations will not consider. "So in that sense," he says, "it's unfair to punish the manager."
Dan Mintz, a former Transportation Department chief information officer, picks up the theme that suggests senior management, not necessarily the IT and IT security organizations, should be held responsible for breaches. "In most cases, security professionals are at the tail-end of a series of policies decisions ... and ending in the lack of resources allocated to security staff," says Mintz, chief operating officer of Powertek, an IT services firm. "I remember a conversation on this same topic with the senior political staff about whether and how to discipline someone who brought bad news associated with a security situation. The answer I gave then I would give again, 'If you shoot the messenger, you will stop getting any messages.'"
Exploiting Lessons LearnedBad things happen to good people, and intrusions into IT systems will continue to occur despite the initiatives of many IT security professionals.
I don't recall where I heard this tale - and whether it's true or not - but a manager was called into his boss' office after a project failed, expecting to be fired. To his surprise, he received a promotion. "Why?" the befuddled manager asked. "Simply, his boss replied, "you learn from your mistakes, and I don't want to lose that knowledge."
That's sort of the point made by Eddie Schwartz, RSA's new chief security officer, in describing how the company's IT security staff felt about a major breach occurring on their watch (see RSA's Post-Breach Security). "Guys who are true, hardcore incident responders, for them, these are times when they really thrive because it gives them an opportunity to get a better window into advanced, adversarial techniques. Out of that process (comes) better solutions."