The Information Security Business.. AKA The Cassandra Syndrome
I had an incident today that kind of epitomizes the security business for me… Well, one aspect of it that is. I call it the “Cassandra Effect” and it is more common than one might think. In my case, I am Cassandra and my prophetic insights are often unheeded or misunderstood as the rantings of a paranoid personality.
That is until the prophecies come true.. But by then its too late.
Today it was a manager within the company that I have been working for as a consultant who shrilly pushed back on findings that the company (X) did not have an incident response process in place that was documented and audit-able. Nevermind that my finding stemmed not only from asking for the documentation and them telling me they had none, but also by the fact that an incident had recently occurred and I watched as their incident response was muddled and likely would not have happened at all had I not been there to alert them to the malware causing the incident.
But… According to this manager, there was no need to document a process for incident response because they would not be audited by anyone like say for a SOX audit and be required to show their audit-able incident response documentation/processes.
Of course the SOX regs might say different huh?
Thankfully, I stopped myself from arguing this any further and trying to explain that this was indeed the case and that even if the SOX folks did not ask because they often suck at auditing, the PCI folks certainly would… I could hear the name whispered as the incident response post mortem call went on however.
“Cassandra”
Am I the only one who feels this way or is treated as such by clients who ask for security services? I mean, you go in, you do your job and document all the deficiencies, state the gaps and map them to regulations and still you get pushback saying
“Well, we don’t need to fix that”
Hell, this even happens after you exploit systems and steal their data and show them. They still look at you and say;
“Well, you do this professionally, this won’t ever happen in the real world”
Why? What is it that causes these cases of self delusion in certain C level execs? I really don’t understand their reasoning here. I certainly did not understand this person’s need for their responses being so confrontational. I mean, is it just that they feel that their job is on the line? Is it that they are not willing to spend more time and money? Because really, the only investment here would be time. Time to write the incident response plans and have them published.
So whats the deal here?
I attribute much of it to the fact that security, much like the appearance of a UFO to Neanderthal man instills fear into their hearts and minds. Simply, they see it all as magic and beyond their comprehension moving some to disbelief of what they see before them.
It could never happen here!
This is just too arcane!
Who’d want our data anyway?
Well, I have news for you, this is the future and the future is security my friends and we.. We are doomed.
I wonder what will happen tomorrow when I send them the links to the SOX requirements on documented processes such as incident response….
CoB
Krypt3ia 
You know what they say, “You can lead a horse to water…”
You can’t save everyone from themselves. Do your thing, write-up the report and move on. People like this don’t want to listen to guys like us. They just want to mark off the check box so they can convince someone into believing they’ve done their job – including themselves. =/
I bet people like this don’t have a will or life insurance either. LOL
Mister Reiner
2010/07/28 at 07:50
Mister,
Heh, sounds so formal like it should be said in a dustbowl drawl.. Anyway, I read your post on this very topic/thought and we think alike.
There are more than a few professionals lamenting today about the state of security and its business element that has become a FUD-A-Palooza. The recent events with ol’ Gregory LIGATT Evans show just how charlatans of his ilk are getting in to the mix and fucking the pooch even more.
I think I am gonna ruminate some more on this and I feel another post imminent.
CoB
crabbyolbastard
2010/07/28 at 13:23
many people still think any type of security assessment is just come in look at some stuff, scan some stuff, maybe exploit some stuff and throw a report.
unfortunately most security vendors perpetuate this because of the need to crank out as many pentests as possible so they can turn a profit that quarter. none of that mentality actually leads to making a more secure organization or even getting them to think about simple things like what it is they are trying to protect.
until we move away from having a pentest to have one because i heard they were cool or regulation X requires me to have one, therefore i do the bare minimum to check that box we are doomed and doomed to keep repeating the same problems.
personal opinion is that most places don’t take the time to think about what it is they do/make and why they should protect that. some places are easier than others, because maybe their competitor wants to steal their widget design (that’s easy) but maybe hospital clinic X doesn’t think all those patient records are important (when in reality they are), or mom and pop biz doesn’t think their data is important but Brian Krebs has shown numerous time that access to their business account is valuable so they are a target or at least targetable or at the very least vulnerable they can be targets of opportunity if they get hit with something while surfing pr0n on the same computer they bank from.
we’re a long way from this though. we cant expect clients to get it until more security vendors/consultants/industry start to get it and talk about it.
CG
2010/07/28 at 15:35
Looking forward to it! 🙂
Mister Reiner
2010/07/28 at 16:01
[…] into the land of FUD and Security Theater as well as a side trip into the shadow lands of denial. My last post about a call that went awry also got responses from others in the business including Mr. Reiner, […]
“Strutting and fretting his hour upon the security industry stage, And then being heard no more” « Crabbyolbastard Ruminates
2010/07/29 at 01:43
[…] the nature of security is at odds against us here isn’t it? After all, aren’t we all Cassandra’s here? No one really wants to hear what we have to say because its scary and requires […]
“Strutting and fretting his hour upon the security industry stage, And then being heard no more” Trois « Crabbyolbastard Ruminates
2010/08/13 at 14:05