It’s difficult to write about integrity in security, because it’s not about technology anymore, can be very vague and speculative. At the same time, not having integrity in security can lead to fundamental flaws that will undermine all other security controls. To be more specific about “fundamental flaws” think about compromised cryptography, in which case everything else that you do would not matter much.
What is Integrity?
You can find many formal definitions of course, but for me it simply means doing the right things, no matter what. “Right things” can be tricky here especially when a security SME or executive don’t have much experience in protecting systems and data, but since I’ve covered this case here and here already, I would assume that SME or executive have enough experience, know what they do and how security should be implemented. I will not also consider honest mistakes, because honest mistakes are not necessary related to integrity assuming that a person doesn’t have problems with admitting them.
Perils for Integrity
Any SME or executive who worked in security long enough has probably experienced one of more perils that could jeopardize their integrity:
- Senior management doesn’t completely understand the treat, but is willing to spend some time with security to understand it better.
- Senior management understands the threat, but doesn’t have time, money or human resources to address it now.
- Senior management understands the threat, but never provides all resources necessary to address it.
- Senior management understands the threat, but never provides any resources necessary to address it.
- Senior management doesn’t understand threats and never has time to talk to security about it.
Please notice that motivation for these types of behavior can be different – from not having enough resources to possible conflict with business goals. Understanding the motivation well is important for making trade-offs while preserving integrity.
Addressing the Perils
The first case is the simplest one. A security SME would need to identify the key business stakeholders and tell them a story at the right abstraction level. Choosing the right abstraction level is very important. If it’s too low, you’ll lose them and it will be completely your fault that has nothing to do with anyone’s integrity. If it’s too high and generic, your story might not be compelling enough and nobody will buy into it. Try using some numbers such as a monetized cost of a possible breach or real life stories demonstrating reputational and financial losses occurred in other organizations.
The second case is not hopeless either. Make sure that business commitments toward security last by reminding them frequently that this is still an important outstanding problem that needs to be solved. Meanwhile beef up mitigating controls such as monitoring for this particular threat and if you find its pattern unfolding in production, use it as a hard evidence that the threat is real and needs to be addressed soon.
The third case is rather typical – you will never get all resources to address all threats and vulnerabilities that you’ve reported. What you can do is a better prioritization and addressing the most important threats first while monitoring for others just like in the second case.
The fourth case is tough. As I’ve mentioned above, try to understand their motivation. Probably the business is in such a bad shape that nothing has left for security indeed, in which case you’ll need to leverage all human and technical resources inside the security team to help business, development and operations by delivering more automation and monitoring to mitigate the risks. If business is thriving on other hand, but you’re still not getting resources, that’s a good reason for a serious conversation with the top echelons of management in your organizations.
The fifth case is extreme and doesn’t happen in real life often. Try finding at least one ally in the management ranks and use each opportunity to escalate the issues. If that doesn’t help, your own integrity is important for you and you don’t want to be a security window dresser, consider changing an employer.
Inspirational and Demotivational Examples
Fortunately, we have enough inspirational examples demonstrating a high level of integrity in security when people chose what is right over what is required by incompetent bosses or even governmental authorities:
- Martin Hellman thought that improved security is more important than possible prosecution by law enforcement. He has published his PKI work in 70s in spite of all threats and warnings coming from government and was right – security has benefited significantly, his work was widely recognized and revolutionized cryptography. He had vision and courage to implement it.
- A strong privacy advocate and a well known security dignitary, Alex Stamos, was arguing vigorously with an FBI director about cryptographic backdoors explaining why it’s dangerous and how it can compromise security for everyone.
- The same Alex Stamos has resigned from his CISO position at Yahoo when learned about its government backed secret spying program and realized that he could not do much about it due lack of support from CEO and the board.
- A number of security folks, cryptographers, legislators condemned secret government spying programs at different public forums and requested more transparency, because they thought that it will degrade security and undermine privacy.
- I’ve also seen many other honest folks in security leaving their well paid positions, because they didn’t agree with how security is handled in their organizations.
I don’t want to write much about demotivational examples, but unfortunately they are many as well. Just look at the inspirational examples above and think about adversaries of those decent folks that have been mentioned there.
Integrity in security requires a lot of courage, perseverance and intelligence. I think, to be a successful security professional, one should absolutely have it. On the other hand, employers who don’t understand it can undermine the whole security program in their organization, drive professionals out and create an environment where flourishing complacency kills everything good and real, while promoting “security as a window dressing” phenomena.