A survey conducted at the 2015 RSA Conference (RSAC) found infosec professionals ever wary of the consequences...
of reporting breaches and vulnerabilities.
The survey was conducted by security vendor AlienVault Inc., based in San Mateo, Calif., and gathered responses from 1,107 attendees at RSAC. The survey was anonymous and multiple choice in an effort to promote honesty on sensitive topics.
The results showed that IT pros didn't always see honesty as the best policy. While a solid majority (68.2%) said one should be honest, open and cooperative when an auditor came around, that still left nearly 32% who said it was best to either "steer them away from bodies" (20.3%), ignore auditors (7.3%) or disclose a gap to get the auditor to leave you alone (7.1%).
Respondents said dealing with auditors is especially tricky because a bad audit reflects poorly on their work, while good audit results make it more difficult to secure funding. So, the best outcome may be to get an audit somewhere in the middle that showed executives "things weren't bad, but they could certainly be improved."
Craig Spiezle, executive director and president of the Online Trust Alliance and someone who regularly briefs the U.S. Congress on self-regulation within the cybersecurity industry, said he isn't sure this line of thinking will actually influence actions when dealing with auditors.
"I think one can internalize it that way. Do they act that way? I would doubt it," When it comes to how your present your case, Spiezle said. "In an audit, you're being held accountable for it. You as a company make assertions against regulatory criteria and you could become legally bound to those."
On the topic of data breaches, AlienVault found that the question of who should be held responsible had CISOs rated as the person who should take the fall by the greatest number of respondents (38.8%), followed by CIOs (26.4%), CEOs (23.9%), and VPs of IT (23.9%). A smaller percentage (10.2%) said auditors should be held accountable, and AlienVault said respondents specifically mentioned PCI QSAs in this regard.
While only 9.2% said that the board of directors should be held responsible when there is a breach, 66.8% of respondents said a breach should be used to convince the board to approve more resources for the security budget.
Javvad Malik, security advocate for AlienVault, said that he was somewhat surprised by these results. Given that the respondents were security professionals at RSA, "I would have thought the CISO number would have been lower and the board of directors or another purse-string holder would have been higher up."
Spiezle said it shouldn't necessarily be a matter of placing blame, but rather making sure that the party reporting the breach puts the incident in proper perspective and doesn't get punished for doing his or her job.
"In the case of security, we all need to have an open and respectful dialogue and not shoot the messenger," Spiezle said. "There's always going to be a risk, no matter what you do. How do you manage that, and how do you create a culture that's open, respectful, and also where security is everyone's job?"
Additionally, 20% of respondents said they had worked at a company that had covered up a breach, 58% said they had not worked at a company that had hidden a breach, and 22% weren't sure one way or the other.
Spiezle said it was difficult to read much into these responses because the ideas of what constitutes a data breach and what would be a cover-up can be very different between companies and in regard to different types of breaches.
"If we lost data and recovered it, is it considered a breach? If the data was encrypted and the key wasn't lost, was that a breach?" Spiezle asked. "IT teams can be confused at times because of this. If you don't feel that there is damage or risk of loss because of encryption, it may not be considered a breach because one thought is they don't need to disclose anything unless there is a reasonable expectation of harm."
Malik admitted AlienVault didn't want to get bogged down in these technicalities, and left the definitions up to respondents in order to capture the whole spectrum of breaches.
Overall, Malik wondered if the data in the report indicated something like growing pains for the infosec industry as it comes into the media spotlight more and more.
"There's lots of pressure being put on these professionals in their jobs. When we look at information security, it's still quite a young industry compared to others," Malik said. "From a media perspective there is rising awareness; so, we're putting all of this pressure on these professionals and it's inevitable that something is going to have to give at some point or another."
Spiezle agreed with this reading to a point, but said the security space is getting more complex as it becomes more decentralized and split between on-premise and the cloud, and the job itself is difficult and unforgiving.
"There's chaos, there's uncertainty, and there's confusion in the best of cases. This creates this anxiety and misinformation that comes out which may not be intentional," Spiezle said. "You're trying to put out a fire and everyone is running around like Keystone Cops sometimes. It's sad to say, but that's what happens. You're destined for failure if you don't have a plan, but you're also destined for failure if you don't take a holistic view."
Learn more about the best practices for security data breach reporting.