http://blog.wh1t3rabbit.net/2013/10/living-in-glass-houses-infosec.html
By Rafal Los
Following the Wh1t3 Rabbit
October 7, 2013
If you're anything like me and like to keep up on the industry, you've no
doubt been overloaded with news on the apparently epic Adobe hack. As some
of you may no doubt point out I'm no apologist for companies who fail to
take security seriously, and I've made my share of pokes and jokes at
Adobe's expense over the years. There is, however, a line I hold myself
and others who wish to be known as professionals to. That line is personal
hit-pieces where you're targeting a particular individual for the sins of
the collective. This is commonly known as bulls***.
That being said, I took serious offense when I saw the original version of
this post (I wish I had taken a screen capture, but it was quite
distasteful) from Richi Jennings on Computerworld. When I read the
original which basically sought to crucify Brad Arkin for Adobe being
hacked I got upset. So upset that I took to Twitter and let Richi know it,
and I can't say I was too polite either... After a few others laid into
the author, the post was dramatically changed, the picture of Brad with
the overlay "Fire Me" came down, and there was an apology. Of course, if
you want to see the sorts of trolls that apparently read that column, look
no further than the comments...yikes.
Anyway... let me get to the point.
There are some points I think we largely still miss as a security
industry, judging by the interesting and colorful discussion about firing
CISOs in the wake of a breach we had earlier in the day this post was
written.
First, security is hard. Those who lament the failures of security
professionals on the defensive from their offense armchairs (aka
penetration testers) need to play defense for a while. You'll get an
attitude adjustment, I promise. I came from a small company penetration
tester mentality when I joined a massive global conglomerate back in early
2000's - and let me tell you that attitude adjustment was harsh. My "why
can't you just fix this" was met with retort like "because we have budget
to do one of two things - release the product and make the company money
and keep our jobs, or hope to add security" over and over. I eventually
learned the harsh lesson, luckily before I was relieved of duty.
[...]
--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
