the honesty of corporate security

This topic will soon be beaten to death, but I need to post it for my future reference. TJX recently fired an employee who disclosed weaknesses in their security. ComputerWorld has an updated article with details like the employee’s name. posted an original tidbit last week, and here are the forum posts in question (as long as they are still up). There is also a post talking about how to more properly “whistleblow.”

I regularly decry the stifling glass walls of information disclosure and sharing of experiences, horror stories, and successes in our industry. I can also decry poor reactions to helpful employee suggestions or public disclosure of issues. If an organization can be so badly damaged if some information is leaked out (like poor password policies [or nonexistent!], unguarded servers, or poor network architecture), then something is definitely wrong.

Internal and even public open review of security stances should almost be a goal. If a security posture of an organization can withstand open review (like open source code), that can only be a good thing (unless your business relies on those practices as a competitive advantage, kinda like proprietary and secret warehouse sorting technologies).

We are in a new age where information travels far and fast with our efficient technologies, social networking, and news reporting services. It is no longer enough to think a security policy prohibiting talking about security issues in public is enough. Twenty years ago, such indiscretion when talking at a pub with some buds won’t ever get very far, but talking with buds on a forum or online game can become re-referenced worldwide news very quickly. Is that something an organization should try to prevent and actively stamp out? I say not really.

There will always be people who disagree on issues and decisions passed down by management. One person’s trivial issue is another person’s crusade for insecurity; one manager’s accepted risk is another worker’s nightly worry. And there will be times where someone using a public forum as a soapbox to stir internal drama at an organization needs to be punished or removed. But an organization should use that as a last resort, and instead try to actually fix things rather than make them just appear to be fixed. And when not fixing things, admitting such and disclosing why, at least internally.

All this said, there will always be exceptions, and I’m not saying I would ever be a ‘whistleblower’ or support such actions. Just saying there is a better way of dealing with it.

(This is probably all stemming from our highly litigious culture..rather than working together to do great things, we worry about covering our asses from all the life-damaging lawsuits that get thrown around. That and the quest for green…)