Seriously, It Could Happen to You

One Thursday morning in September, Scott Berinato from CIO magazine called an executive assistant named Carolyn at a large IT vendor. Berinato said he wanted to talk to the “storage R&D guy.” Carolyn, following procedure, asked for a call-back number. Berinato at first wouldn’t give one. He was “weird and skittish, or up to something,” Carolyn said later. “He definitely sounded like he wasn’t sure what he was going to say.”

Eventually, Berinato left a number for his hotel in Pennsylvania. Carolyn relayed the details of the odd conversation to a PR person who called the hotel and got no answer. The PR person then called meScott Berinatoat my desk and left me a message.

I called her back, puzzled. She said, “This is in regards to the call you placed to [that executive’s office] at 8:15 this morning.” I told her that at 8:15 I was at home getting ready to take my daughter to day care. Confused, she asked, “So you’re not in Pennsylvania?”

She sighed and relayed all of the above details. I remember thinking that one of three things was going on. One, a practical jokeand I even asked who had put her up to this. Two, some kind of security auditsometimes we talk about auditing ourselves around here for the practical experience. Or three, this was corporate espionage. It’s not clear what information a competitor would get that I would be privy to and they woudn’t. But since this man targeted R&D, it seems likely that he hoped the appearance of an objective journalist would get him data on forthcoming plans he otherwise could not ascertain.

At any rate, I downplayed that possibility at first and decided that it was more random than any of that; just a case of fuddled sticky notes or something. Still, the PR person and I created a random password that only we would know. Simple encryption. If you are who you say you are, you’ll have the private key. I felt silly about the cloak-and-dagger stuff, but it made sense, just in case.

The next day, Scott Berinato from CIO magazine called the executive assistant to a vice president of new product development at another large IT vendor. The assistant said Berinato wouldn’t provide a phone number and “got rude.” He told her he was on deadline and said, “Don’t call me back.” She handed over the information to her PR group, who called me.

Corporate espionage instantly became the most likely scenario. We did the password thing again.

The next Monday, Scott Berinato from CIO magazine called an executive assistant at the first large IT vendor called, but in a different division. Once is an accident. Twice a coincidence. Three times, a trend. Someone was stealing my identity.

In these three cases, we managed to expose the plan. Standard procedures (asking for call-back numbers, alerting PR) accomplished what they were set up to accomplish, and threw the perpetrator off balance. But I wondered how many times a PR team eager to get their clients in front of the press fell for the bait and happily briefed Scott Berinato from CIO magazine. I wondered if Scott Berinato from CIO magazine was abrasive with other companies as well, thus affecting those companies’ perception of my standards as well as our company’s.

We spend a lot of time talking about identity theft and corporate espionage, but we talk about them almost exclusively as technological crimes. Yet this case didn’t require a credit card number or a website vulnerability or a stolen cell phone. This was far simpler, and also profoundly more disturbing. Someone just told people he was me. His success relied solely on people who had a reason to want to believe him (the potential of press coverage) going ahead and deciding to believe him.

Anyway, we responded swiftly. I wrote a brief description of events for our CSO and CSO magazines Editorial Director. Our CSO contacted the security directors of the companies involved, as a courtesy. Our Editorial Director drafted a short letter to PR professionals explaining the situation; reminding them that our journalists would never behave in this way; telling them be on the lookout; asking them to please inform us of any events like this. We blasted that note out in our newsletters and on CSOonline.com.

And that was that. I was impressed by our rapid, organized and full response.

Except, I haven’t entirely let it go. Even a relatively non-threatening crime, which, in truth, would cost the target companies far more than it would cost me, has a violating effect. I’ve periodically felt a nauseous mix of fear and indignation. I’m genuinely spooked by all of this.

A couple of thousand years ago, a philosopher named Epictetus said, “In theory there is nothing to hinder our following what we are taught; but in life there are many things to draw us aside.” Twain, of course, said it plainer: “How empty is theory in the presence of fact.” If there’s something to learn from this episode, that’s it. Despite the best preaching of good security principles, humans tend to feel safe in the absence of negative events. It’s not until they experience a negative event that they grasp what good security does for them.

And yet, the CSO’s and CISO’s job is to prevent such events. Therefore, doing your job paradoxically prevents people from truly grasping the value of what you do. In other words, “It could happen to you” rings hollow. Until it does happen to you.

How do you deal with that?

That question is not rhetorical. How do you CSOs and CISOs get people to believe it could happen to them before it does happen to them? Let me know at sberinato@cxo.com.