Norse Corp. posted a blog article (link at bottom) summarizing a recent survey of security professionals at the e-Crime Congress. I’m not familiar with the e-Crime Congress or this survey, but after reading Norse’s summary a few key bullets raise serious questions:
My first thought when reading this was that a potential prison sentence would severely restrict the pool of individuals willing to serve as C-suite executives or board members. It’s not that I think they shouldn’t be personally accountable like they already are for many other things, but I believe intrusions fall into another category entirely. I’m in the mindset that all organization can, will, and perhaps already are compromised. Further, I believe there’s very little that can be done to bulletproof any organization. A compromise will happen to every organization, period. The focus should be on detecting these events, protecting assets post-breech, and ejecting the attacker from the environment. Putting executives in prison for something inevitable is a bad idea with no upside for anyone.
The blame-game is another interesting aspect the Norse article pointed out. Who’s fault is it that the company got compromised? Does it really matter? A compromise is inevitable. Someone will do something wrong and it will result in bad things happening to the company. It doesn’t matter whether it is the CEO, a salesperson, or even a 3rd-party contractor. And even once you do figure out who clicked what, what are you going to do? Would you an employee because they’re not an IT security expert? I hope not because I’m sure they’re employed to provide expertise in some other area.
There isn’t a reasonably sized company anywhere that I’m aware of that employs 100% IT security professionals who specialize in not clicking stuff. Even if there were, this niche of folks fall for things once in a while too. I’ve done it. Blame will only hinder employees from doing the right thing…reporting the mistake. Let’s be honest, if I knew I’d be persecuted by $(name your person/dept.) for reporting a mistake it’d sure make a lot harder than if I knew there was zero chance of a negative reaction. What if you fired that last employee that got a malware infection? Even if that wasn’t the actual reason but was perceived by the rest of the personnel that way, it’d surely strain future incident reporting. Then you’d really have to weigh your options…is it worth it or do you just play dumb and hope for the best? People make mistakes, like above, architecting your environment to deal with them is the answer…not punishing the personnel who make the mistake. Protecting the company is an all-hands effort. There’s no other way it could possibly work.