Catch-22: Doing the Right Thing
Imagine the following situation: you are told that the company you are
working for is about to be compromised, and you have the ability to
stop it. In this scenario, you have the option of implementing
appropriate security, but you are told that doing so will save the
company and people’s lives, but you will lose your job because you
upset incumbent stakeholders who do not want the oversight or changes
that the security solution provides. So, do you do the “right thing”
and protect the company or do the “right thing” for your family (keep
your job) and just “let it go”?
This Faustian dilemma faces C-level executives today in many companies
that trace their company’s history back more than 100 years and have
generations of the same family working for the same company.
The scenario I am describing is that of the companies and providers
that are part of the critical national infrastructure that President
Obama has been working with to provide a new legal framework to help
provide a significant defense against cyber-attacks.
At The Core: We Don’t Need
Security or Help
The best way to describe the current cyber-security situation with
critical national infrastructure is as a deadlock between the status
quo and a secure future – it only exists by the use of a Federal
Government mandate to implement security.
As strange as it may seem, the management of critical national
infrastructure is being held hostage by employees who have no skin in
the game to improve security. Further, any attempt to implement new
work rules, accountability and security technologies to provide defense
go up against an impenetrable wall that represent a permanent stalemate
In the face of federally mandated rules to implement security
technologies such as privileged identity management, all sides find a
politically acceptable solution. In effect, the imposition of security
and proper process are not at the discretion of management or labor,
but are implemented for the general public welfare of everyone without
any negotiation or confrontation.
Taking the Fine or
The previous scenarios are true and represent the real-world today.
Outside of the critical national infrastructure debate (with a
potential solution), we see another interesting scenario where poor
security and the contingent fines that come with it from regulators,
are simply the cost of doing business.
In this scenario, there is an unusual practical reality whereby
companies make a proactive decision to accept fines and sanctions for
poor security audit results, rather than implement real solutions. In
this calculation, there is no life or death situation (as in the
previous scenario), only a business decision.
Implementing Security Could Kill Us
Here is a real head scratcher for you. Imagine if you were running a
large network with financial transactions. In this scenario you know
that your network is owned by criminals and potentially nation-state
actors. The network is poorly designed, security is poor to
non-existent, auditors have pointed out the situation, but the
financial loss from the current status quo is “acceptable” and the
introduction of real security controls would result in a massive loss
of reputation as well as serious financial loss caused by the criminals
accelerating their stealing because their window of opportunity is
closing. How would you kill off all the heads of the hydra at once with
100% confidence that you have closed all of the backdoors permanently
knowing that your own employees may be part of the problem?
The definition of a Catch-22 situation is that there is not always a
best outcome. When it comes to security, technology is important, but
culture and business realities can make the “right” decision a deal
with the devil if there ever was one. The nice thing about a law
regarding security is that “right” can be a lot clearer to define and
implement since there are few choices when it comes to deferring
implementation and its scheduling.
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
- Cloud Computing and the Financial Services
Industry: a Q&A. Are security issues preventing
financial services firms from adopting cloud computing? If so, what can
be done to improve cloud security and encourage financial firms to
migrate to the cloud? To find out, we sat down with our very own Philip
Lieberman. In addition to serving as Identity Week’s Editor-in-Chief,
Phil is also President and CEO of privileged identity management vendor
- Defending Against Nation-State Cyber
Attacks. If you’ve been following the news over the last 6
months or so, you may have noticed an uptick in articles related to
Critical National Infrastructure (CNI) security legislation. You may
have also seen more reports of cyber-attacks against a wider variety of
targets by entities other than criminal elements seeking financial
gain. Why is that?...
Events / Press /
vs. Salesforce: An Identity Smackdown? Dark Reading. Some
say Facebook's growing role as online identity provider could make it a
potential enterprise IAM tool, others say Salesforce would have better
shot as non-traditional IAM provider.
Count Out Active Directory For Cloudy Future. Dark Reading.
Because Active Directory (AD) was first developed in an era before SaaS
services, some security proponents might make the case that it hasn't
adapted well enough and doesn't have the architectural flexibility to
future-proof itself within the increasingly cloud- and mobile-centric
- Study: Neglecting
Security Opens Doors For PIM. Channelnomics. It probably
comes as no big surprise that employees regularly override, neglect and
sometimes downright ignore security directives. Let’s face it,
cumbersome rules often get in the way of performing job functions
effectively and efficiently.
Finds That Security Policies and Rules Are Ignored, Even When From the
CEO. TechZone 360. The drumbeat of observations about what
to do about the troubled and troubling state of cyber risk management
in enterprise IT shops is getting louder, seemingly in lock-step with
the headlines highlighting how the bad guys are continually upping the
stakes along with the frequency of their attacks. And, at the recent
RSA security event, I was struck by the number of speakers who
highlighted the fact that at the end of the day, security comes down to
having educated users who follow best practices as possibly the best
way to mitigate the risk of most threats.
Workers Ignore Security Rules Deliberately? Business News Daily.
Regardless of whether it comes from an employee in the next cubicle or
a top executive in the corner office, the vast majority of IT
professionals believe their co-workers disregard security rules on
purpose, new research shows.
Staff Ignores IT Security Directives. GRC Daily. A recent
survey from Lieberman Software Corporation reveals that more than 80%
of IT security professionals believe that corporate employees
deliberately ignore security rules issued by the IT department.
Tech Tip of the Month
passwords directly from the Microsoft® System Center
Operations Manager interface
Enterprise Random Password Manager (ERPM) and Random Password Manager
(RPM) customers can get all the benefits of deep, out-of-the-box integration with Microsoft® System Center Operations Manager through
the E/RPM Snap-In for Operations Manager. Thanks to this deep
authorized users can quickly retrieve administrator and root account
passwords directly from the Operations Manager interface. Here's how.