• United States



Bad Guy Wisdom

Jun 28, 20013 mins
CSO and CISOData and Information Security

Heres one answer: In a 10-minute Web search, I gained access to thousands of viruses and software tools with which I could create and launch polymorphic attacks.

Meanwhile, in a 10-week span, I have yet to find a CIO who will talk about a security breach.

In a sense, hackers are more open and honest. This explains, in part, why theyre kicking tail. So why not adopt some hacker wisdom?

Communicate. Organize yourselves. Talk honestly about security failures, what youve learned and how youre adapting.

Its not that easy, right? To tell the world (read: shareholders) about a security breach is to create a litigious morass and possibly a public relations disaster. Fortunately, there are ways to talk about the problem and avoid this, such as Senior Writer Sarah Scalets piece about a virus outbreak at an anonymous company.

Besides, clamming up doesnt make you safer. The public will find out about security compromises one way or another. Sometimes they have the right to know. Getting in front of the problem, talking openly about weaknesses everyone is susceptible to may just make a CIO a leader, not a failure.

I think some CIOs want to broaden the security dialogue. They want to have frank conversations about whats happening and develop an organized strategy to combat hackers.

Case-in-point: Girl Scouts of America CIO Marcia Balestrino was ready to talk to CIO about her experience with a defacement of the GSUSA website. Balestrino saw in her hacking experience a simple but crucial lesson she could share with her peers. And, she would be encouraging others to come forward. But first she had to check with PR, and PR gagged her.

The PR contact asked me, Is there any way I could steer this interview away from the specific incident and just have her talk about security in general?

I said no. So the Girl Scouts said no interview. Balestrino said she was disappointed but had to respect the PR departments decision.

I suspect this is typical. And I wonder when or if CIOs will start pushing back on the PR and legal departments that somehow think the problem will go away or that security lapses will be kept secret if they block discourse.

A caution: Though I think there is great unmined value in the virus story or the ill-fated Girl Scouts tale, this is not a plea to get good stories. Its my job to get those stories despite PR.

Im simply saying its time for CIOs to shift strategy in the security battle. Because the hacker community is just thata community. Growing. Tighter and more organized than the good guys. Hell, they even have a trade show in Las Vegas next month. They keep in constant communication. They use the media. They build products and improve them rapidly. They continuously talk about what does and doesnt work, and they constantly improve their craft.

Its a shame Im talking about the bad guys there.