Speaking The Uncomfortable Truth
Being a cybersecurity leader is a huge responsibility that will eventually require speaking up.
As a cybersecurity leader there WILL be times when you will have to speak the uncomfortable truth. Sometimes it may cost you your job or a client. I was told a long time ago to go by “Do The Right Thing”.
It’s a difficult position to be in.
Once upon a time ago there was a CISO at a Social Media giant. This CISO knew, and still knows, their stuff. Well, let’s just say there was a bit of a disagreement with execs and so he left. There’s a lot here that I don’t want to get into... but the point is…
Companies and people want security... except sometimes went it’s inconvenient.
Maybe he felt like a token security hire at that point.
I’ve been lucky to work with clients that are genuinely interested in security. However, I know of people that had clients become irate and outright dispute security findings in assessment reports.
It’s one thing to debate the severity, but another to debate whether a security gap is a gap at all.
Hint: That’s why most reputable companies will not provide the source to a report.
There’s so much more though than just debating semantics. For us as security professionals, it’s our reputation on the line.
Let’s take a simple example, say ACME SaaS Inc receives a report with a vulnerability that details the lack of two-factor authentication in corporate applications, in 2021, as a critical vulnerability. Additionally the company is a provider of software to B2B companies as well. All these factors are taken into consideration when determining the severity. See footnotes for all the reasons why 2FA is so important1.
However, the company doesn’t want this vulnerability in the report saying it’s a known issue and will be fixed soon.
Understood. However It is the assessor’s responsibility to include everything they find at the time of the assessment. That’s the point.
Can you imagine the reputational damage to the assessor if they were found not to have documented the issue above? What about post incident.
There could be several other reasons why the company does not want this or other critical items in the report, however unfortunately you may not know the reason.
Here are some considerations based on actual events somewhere in the security world:
They are in talks with other companies for acquisition or investors and they are asking for this report
The Board wants to see the report
The IT person responsible doesn’t want to look bad
Our job is to inform the business of security risks. It’s up to the business to decide not to fix something and accept / take on the risk. If they want to do that, that’s fine. Ethical? The right thing to do? Highly debatable.
However, if we cannot communicate the risk, we’re not doing our job.
Thanks for reading.
Ayman
ps. This is a topic that can easily take multiple pages… hope you got the jist though.