Saturday, May 1, 2010

Wall of Shame: Accountability

This is, perhaps the most telling and damning reason why security fails.

In one of the documentaries I saw recently, there was an ex-CIA guy who basically said (and I'm paraphrasing here) that "we could solve the worlds security problems TODAY, if people wanted. All they needed to do was make organisations criminally liable for poor security". The crux of the message being is that people don't implement security correctly because at the end of the day, they don't perceive that they have to. Or more specifically, they don't see why it should be their problem.

Despite the regulatory landscape of the US, one thing is clear - that lawmakers and organisations are trying to introduce accountability for the actions of businesses everywhere. When the law doesn't work (HIPAA, SOX) then it relies on industry self regulation (PCI-DSS). While there are arguments why this is bad (ranging from the profiteering by vendors flogging solutions that act as the silver bullet to the above, people dodging the whole compliance regime by doing the bare minimum and then tarnishing the compliance regime when all these organisations are pinged for non-compliance after they hacked) - I believe the fundamental notion of compliance is sound. That is to say 'make people take ownership of the problem and fix it.' To date, it has been the single most - if not the only way - I've seen people spend money willingly on security initiatives (other than fear of compromise or actual compromise).

Looking at Australia, our regulatory landscape is simply not there. We're being drafted into the 21st century kicking and screaming by our European and U.S. brethren. For our financial institutions at least, APRA seems to be leading the charge with PPG234, Australian Government has the PSM. But seriously, we're still a loooong way to go. Our global partners don't share our euphemism of "she'll be right mate". Our days of shoddy workmanship are closing. The fact is I often wonder how in the hell anything still works. Is it because we're not targeted - or perhaps the more scary (if not probable) thought that we are and perhaps just lack the basics in being able to even detect it?

There are entire environments going unpatched, Conflicker propagated by administrators unwittingly and then heaping the blame onto others who point out the problem and the root cause. These same no talent ass clowns are the ones that are completely negligent in their duties. Seriously, we need to start treating these so called "I.T. professionals" like we do negligent doctors - loss of practise, fines, negative publicity, jail time.

But do we? Hell no. That would be far too logical.

No, we just bury our heads in the sand, write the incident off that the individual has "learned his lesson" (what lesson exactly can be debated) and we move on. Nothing is done. No formal warning. The world just ticks on in its usual harmony and splendour.

And this is the culture within Australia. The presumption that everything will be right, its not my fault, not my problem, that I'm a "unique and beautiful snowflake" blah blah blah. This same attitude extends to the so many areas of our lives - our finances, our environment, our relationships. The net effect is we take everything for granted and do not value what lies before our face. The sad reality is most people don't until its taken away - and this is my fear for Australia: that it is going to take an incident of incredible proportions before anyone takes security seriously. I thought the Google:China incident was a good start, but then again its too far removed from anyone here in Au. No, it won't be until we've had our own "Digital Pearl Harbour" that people will take security seriously.

However, I've been in information security full time since 2003. That's about 7, going on 8 years (OMG, that long??). I don't think its a long time compared to some, but its a respectable amount I think. Am I naive in thinking this event will come, has gone and I wasn't there, or am I waiting for something that is most likely a non-event? I don't think I've been in the game that long but perhaps long enough to spot trends. The whole compliance thing is the only trend I've seen which has really effectively driven security - from the top down. Not to say that the solutions have been perfect mind you, or that audits are fantastic (I hate them personally) but what can I say, I believe in the approach and the having a top-down approach to any security problem is always a good start.

I have started to run askew from my original point, but my point was that in Australia we have a cultural attitude that is so pervasive within our working environment, it means that it is almost impossible to solve any security problem as long as people don't give a damn (yes, I know this gives me job security but that's not the point). I know that this isn't just an 'Australian problem' and I don't want to sound harsh bashing on my own country, but I've met too many people from too many countries (and seen too many, let alone worked in others) to know that it doesn't have to be that way. We - as a country - need to step up and start taking accountability. We're the fattest nation on the planet, the largest consumers of water per capita and one of the largest airborne polluters per capita in the world. For all the good things we have, compared to so many other countries, how did we let it come to this?? Why is it we have such a hard time setting the example for the right reasons?

Anyway, I'll leave you with this thought:

     Which is the greater evil: forcing people to do the right thing, or watching people avoid doing the right thing if it is easier for them to do so?

- J.


@$h1$h said...

I guess no comments to the topic further nails the fact that people prefer to close their eyes to anything that shakes their sanctum of solitude. :(

Jarrod said...

Or find themselves in a position where they are unable to comment. :)

- J.

@$h1$h said...

touche :P