From: InfoSecurity

Blog Post by by John Walker

I have been around the IT and cybersecurity Industry for a few years now, have had some experiences which I have enjoyed, and others I would prefer to forget. I have worked with some of the largest consultancies in the UK, and some of the biggest companies on this planet – and from time-to-time, I have seen things done, and ignored by Internal, and External Security Professionals, & Auditors which have left me stone-cold. I have encountered data exposed en masse, which has been quietly massaged into the dark corner of non-reporting, and have observed, on one occasion, a CISO and his immediate Director of Compliance, both complicit, negligent, and culpable of allowing security to fall into second place to their own individual interests.

However, within the last 18 months, in the cases of Sony, RSA, a PCI-DSS leading advocate Bank distribution of 15 million Insecure Smart Cards, failures of internal controls in Banks, the RBS Systems debacle, right up to date with the current case of HSBC being complicit & culpable of not accommodating adequate CTF (Countering Terrorist Funding) Controls, I do need to draw breath and gasp. Phew, and please forgive my vexation, but I am just starting to wonder, just what the **** is going on?

When attempting to winkle out some of the root causes, one may stumble upon the fact that the circumstance of ‘Personal Interests’ may be one complicit factor within our modern day business environment. In this mind-set,  sustained focus can be set against EBIT, and the associated cost reductions to assure its success, which of course will be based on and driven by those ‘Personal Objectives’, which, on occasions, as we have observed, may be gratifying for the incumbent beneficiaries, but not necessarily the longer term business strategy, and stability. But then who cares, as the decision makers in the driving seat of the day may be long gone when the chickens come home to roost, along with their over-egged adverse consequence. In fact, just to bring this to life, let us consider a real life example in which some 35,000 client records belonging to a major UK Bank were lost by their East Midlands based ‘authorised’ custodian. In this case, an unencrypted laptop was stolen from locked premises, suggesting an insider job. So, what was termed, a Major Incident Security Review was convened. However, to massage the problem off the Corporate Risk Register, the Director of Compliance presented the conclusion that, since the laptop had been stolen within the previous 24 hour window, there had been no conclusive proof that any user details had been compromised, or misused, and thus directed the incident be closed, with no further action – even worse still, the Bank in question was never made aware of the loss, and so in ignorance of the event, yes, they were blissful!

And then in the same organisation, there are examples of RED Audits turning to Amber of Green out of closed door meetings between the IT Director, and the Head of Internal Audit, producing a brand new, fully modified set of conclusions, and recommendations!

We may even consider the ghost transfers of around fifty million UK pounds which have taken place in a number of banks, with no awareness of where the funds had gone, who transferred them, or when the event happened – they just know that money had disappeared, as if by ‘magic’ – all very worrying, I am sure, or hope that you agree, but does of course raise a big question mark over what compliance and security are represented by.

And then there is the matter of ‘Invested Corporate Culture & Practices’ which, no matter where the indoctrinated staff emerge from, from what I have observed in recent times, these leopards never change their spots, with examples one disgraced senior security operative, being replaced by a new incumbents crawling out of the same disgraced bedrock as their predecessor, with a clear intent and motivation to ‘manage’ security, rather than to manage it – if you take my drift!

And this brings us to that good old conversation piece around skills, so rightly pushed to the top of the agenda by Baroness Pauline Neville-Jones. Here I can attest from some previous roles, where an highly paid individual ever repeated that ‘this particular element of security is not in my level of understanding’, leaving me at the end of the engagement, wondering why such lacking operative was actually being employed at all, never mind the fact they were also holding a very senior post!

And for my own part in the world of Security and Compliance, I am wondering, when one is party to such events, where their individual and personal responsibilities lie in relation to ‘Ethics’ – what is the right, and wrong thing to do when major corporates casts care to the wind, and just carries on regardless hoping that nothing will come-to-pass? Who does one escalate to, and to what level in the organisation, with a mind to keeping their employed status as, well, ‘employed’?

So, the big question is, where do ‘we’ go to start to make stuff right, and to secure ‘our’ areas, operations, companies, and the global economy? A BIG question, I know, and one I do not have the complete answer to right now. However, it may be a good start if we as Security Professionals can start to stand up and to speak out just a tad louder. Maybe it is time for Security Professionals, Auditors to look beyond attraction of their ‘immediate’ reward and consider the longer term strategy and consequences of corporate actions, or inactivity. And maybe, just maybe, if we believe in what we are employed for and to do, we must counterbalance what are considered to be ‘ethics’, against, well, ‘ETHICS’.