The Information Security Business.. AKA The Cassandra Syndrome
I had an incident today that kind of epitomizes the security business for me… Well, one aspect of it that is. I call it the “Cassandra Effect” and it is more common than one might think. In my case, I am Cassandra and my prophetic insights are often unheeded or misunderstood as the rantings of a paranoid personality.
That is until the prophecies come true.. But by then its too late.
Today it was a manager within the company that I have been working for as a consultant who shrilly pushed back on findings that the company (X) did not have an incident response process in place that was documented and audit-able. Nevermind that my finding stemmed not only from asking for the documentation and them telling me they had none, but also by the fact that an incident had recently occurred and I watched as their incident response was muddled and likely would not have happened at all had I not been there to alert them to the malware causing the incident.
But… According to this manager, there was no need to document a process for incident response because they would not be audited by anyone like say for a SOX audit and be required to show their audit-able incident response documentation/processes.
Of course the SOX regs might say different huh?
Thankfully, I stopped myself from arguing this any further and trying to explain that this was indeed the case and that even if the SOX folks did not ask because they often suck at auditing, the PCI folks certainly would… I could hear the name whispered as the incident response post mortem call went on however.
Am I the only one who feels this way or is treated as such by clients who ask for security services? I mean, you go in, you do your job and document all the deficiencies, state the gaps and map them to regulations and still you get pushback saying
“Well, we don’t need to fix that”
Hell, this even happens after you exploit systems and steal their data and show them. They still look at you and say;
“Well, you do this professionally, this won’t ever happen in the real world”
Why? What is it that causes these cases of self delusion in certain C level execs? I really don’t understand their reasoning here. I certainly did not understand this person’s need for their responses being so confrontational. I mean, is it just that they feel that their job is on the line? Is it that they are not willing to spend more time and money? Because really, the only investment here would be time. Time to write the incident response plans and have them published.
So whats the deal here?
I attribute much of it to the fact that security, much like the appearance of a UFO to Neanderthal man instills fear into their hearts and minds. Simply, they see it all as magic and beyond their comprehension moving some to disbelief of what they see before them.
It could never happen here!
This is just too arcane!
Who’d want our data anyway?
Well, I have news for you, this is the future and the future is security my friends and we.. We are doomed.
I wonder what will happen tomorrow when I send them the links to the SOX requirements on documented processes such as incident response….