An IT security pro’s personal tale of a long and bloody job hunt and what it says about the industry’s current state of affairs.
Why is it that when a serious breach occurs, the executives panic and find the budget to spend extraordinary amounts of money to remediate the breach? Why is it that they seem to degrade a vital component in any business — the security of their data? Don’t they know that one serious breach can jeopardize the existence of their business and perhaps lead to criminal investigations? Why is it that many organizations just have one security executive with no staff and hardly any budget to work with as just a figurehead in the organization? Several states and the federal government, have enacted or are now enacting tough laws, some of which carry severe penalties should a serious breach occur, including requirements of complete public disclosure to all the victims associated with the breach.
Never mind the mountains of lawsuits that can put a company out of business. This is what’s going on — many companies are revolting, but the laws are being enacted, and ignorance is not bliss. Doing more for less is not the answer. It is not good business to put an organization’s assets at risk — particularly in this economy where security staffs are depleted and not valued. This is not an area where businesses should be doing more with less. They should be doing the opposite to ensure their survival.
At the federal level, top information security specialists have been saying for years that our current infrastructure is at grave risk. Serious breaches have since occurred, and the government is now scrambling. Most of the agencies have been mobilized, and at least four of the national laboratories are in an all-out effort to combat breaches and prevent future ones. Billions of dollars were budgeted to upgrade and secure the nation’s infrastructure, and why was this? Because the same pattern keeps repeating itself. Security is ignored or pushed lower in priority until a crisis erupts and then there is a scramble to correct the problem.
While I am still gainfully employed, I also can say I have seen first hand this “effect” in many places over my time in the field of information security. I can also attest that in this climate companies are still very much trying to do more with less including security. Though much of the time they instead choose “security through obscurity” or outright ignorance as their way ahead.
Frankly, unless the government creates and imposes laws and large fines for data loss all too many companies are willing to sign off on the risks of compromise even if they are high and just hope for the best. At worst, there are companies with CIO’s who are just not cognizant at all about information security and instead focus all their attention on the financial bottom line and “customer satisfaction” instead.
Still worse, imagine the CIO or the CSO who knows the dangers and is forced to or chooses to ignore them to save the company money. In the end though, they all are likely to feel the sting of the hackers’ keyboard as they steal their data and perhaps their reputations.
So why is it that these companies and C level execs just fail to see or blind themselves to the dangers and work toward remediate them?
Inability to grasp subtle concepts like hacking?
I really wonder…