A while ago, a press article quoted me as saying that the only way things were going to change in most organizations in terms of how they manage risks and IT Security overall was government and regulatory policies – forced down management’s throats with threats of bad things if basic, common sense things were not implemented. (I didn’t actually say the latter but, then again, maybe I did but it wasn’t printed).

After a couple of years seeing what the financial regulators were starting to do in Asia and seeing what was not happening here in Australia, it became evident that the one common denominator to the success of things happening in IT Security and Risk Management practices in Asia came down to regulators like the MAS, BOJ, FSA etc. Development and circulation of pretty decent “Guidelines” (Read: Do it or else!) to Banks (with a particular focus on foreign owned entities) to minimize “weak” practices and potential bad flow-on effect to the country in question meant that for the first time, IT Security people were being brought into real-world facing positions and dare I say it, finally being listened too on a fulltime or close to fulltime basis.

Oh what a difference it was coming from a position in an Australian company where every achievement was a battle, to being in a position where a company’s reputation and business was staked also on the success and input of specialized IT Security and Risk guys. Finally, proof that it can happen! Now don’t get me wrong. Things still weren’t and aren’t perfect but they were far, far and away light years from what I was used too.

When I did return to a local focus, the difference in practices was scary – very scary. WTF was going on here in Australia? WTF do the regulators do? WTF does the government know? Nothing had really changed.

Sadly, things haven’t changed that much more in the last few years. SOX, ISO standards and other various things have seen their fair share of popularity, but at the end of the day, who really believes that their implementation has made any significant difference? Great, you’re SOX compliant and you’ve just had an audit to show you’re almost 27001 compliant BUT, (and luckily for you that you have a smart IT Manager who decided to hire us to do a real security review for you), we’ve just managed to demonstrate how we can own your entire global network (relatively easily and due to basic security controls not being in place). But at least you are compliant! Go figure that one out. (More on security vs. compliance another time).

Anyway, so in the press article, the journalist needs to include a response from someone in “authority” to round off the story. A government dude responds – disagreeing with my view that the only way things will change is by firmer controls being mandated. He goes on to state that they are in the process of developing some FYI standards and that organizations will be able to read and hopefully use them when they bring them out – and that will solve the problem. Awesome I thought! Just what we need – another set of optional standards to sit alongside the scores of similar ones that are out there already collecting dust.


PS. They never did release anything (at least not that I am aware of).

A good guy, (who I’ll call ‘Irish”) left the industry last week. There’s not that many good guys in this industry as it is, so he’s going to be missed. At least by me.

It’s not that he had something else, something better to go to – he didn’t. He’s just packed it in, fed up and sick of beating his head against a brick wall as an IT Security Manager in a large corporate.

I don’t have those same frustrations as much as I used to. I moved to the dark side (consulting) a few years ago and it’s not as frustrating on this side. People tend to listen more to consultants and I like to think my teams and I know a bit about we’re talking about so we’re actually making a difference for our clients. Does that make consultants special? Crap it does and I still reckon 90% of consultants are exactly as described by Scott Adams in his first book. You know the one. The chapter on ‘Consultants’ should be mandatory reading for all consultants………I digress and will leave this story for another time (maybe), but hopefully you get my drift.

So back to Irish. I know where he’s coming from and I doubt there’s any guy or girl who works in IT Security for a company that doesn’t. We must have certain shared personality traits. They’ll do a study one day and identify a gene we all share that drives us to working in what is generally the most thankless of all IT jobs.

I spent many years working inside large corporates in various IT roles. All aside from the security role that I eventually determined was my future were rewarding in terms of being able to achieve things and be listened to. Once I moved into the security position, the world flipped on its axis and things changed. A lot of that time I wondered why they had me there at all – you pay me good bucks to do a job and then you don’t want me to do that job. They loved me when I supported what they did and they tried to pretend I didn’t exist when I didn’t.

That was quite a while ago, I moved on as I mentioned but sadly things haven’t changed much at all. I see it every day. Guys like Irish – committed, working long hours, keen to make a difference, having to fight every step of the way to make just a small change. Why does this happen? Sure, there are times where we probably go a bit overboard but hey, sometimes better safe then sorry but seriously, in most cases there is method to our madness and at the end of the day, all Irish and co are trying to do is to highlight a mess and fix it! It’s not a hard concept to understand.

I remember not that long ago, a CIO telling me that security was not important, “we’re not a bank or something like that!” He’s still in that role.

A classic CIO story though belongs to the CIO in a very high profile organization that plays with money. Unfortunately this guy is not a one-off freak – there’s a lot of these guys out there and they’re a danger to their company but somehow life goes on. Now keep in mind, this happened years ago – well before my current business. We’re not in a habit of highlighting our client’s problems in public but since this happened before my current role, it doesn’t count. Anyway, we’d just delivered him two pretty bad state-of-security reports, provided remediation advice and demonstrated with a little bit of process change, nothing major and no money as such to be spent, significant risks would be quickly and easily minimised. Having only recently met this guy and having no reason to think him not overly bright, I actually believed he would take this onboard with a big thanks and “we’ll get onto it straight away – this is bad stuff and we need to fix it!” Silly naive me. Nope – he hadn’t even bothered to read the report before our meeting. His excuse; “I can’t do anything about this anyway”, (in reference to recommendations we may have put into the report). The rest of the conversation went along the lines of:

Me: “But you’re the CIO aren’t you?”
Him: “I am”, very confidently he replied.
Me: “So you can’t do anything?”
Him: “No, the business has to tell me to do it!”
Me: “So what is your role?”
Him: “I do what the business tells me to do”.
Me: “You don’t see it your role to tell them that they have significant security exposures?”
Him: “It’s not my role”.
Me: “Okay…thanks for your time!”

It’s no wonder guys like Irish decide that it just isn’t worth it.


PS. CIO’s company had a major security breach six months later. (I had moved on by then but old contacts gleefully passed on the story). The board asked him what he was going to do to make sure this doesn’t happen again. The Risk Management Group nicely passed on the initial report to him again, from which he proceeded to cut and paste all recommendations into his own report which he presented to the board – making him the hero for a day or so.