Trust. It's a fundamental precept of civilized society. Whether we like it or not, we must trust people we both know and don't know. To fail to do so would result in a complete breakdown in the fabric that is humanity. You trust the engineers who designed your car, your mechanic who worked on its engine, the engineers who designed the roads you drive, and the people around you who are in the same situation as you.
Trust. It's also a fundamental tenet of online life; one that is far more easily betrayed. If it is in human nature to trust, then so it is also in human nature to be duped by those who cannot, in fact, be trusted. In real life, we're often far more perceptive to cons than we are, or can be, online. The loss of the slightest nuances of non-verbal communication can mean the difference between simple understanding and total misunderstanding.
So it is that I read today about a new report indicating the degree of failed trust permeating our enterprises. According to the article "Survey: 20% of IT security professionals cheat on audits" we apparently cannot trust at least 20% of our colleagues in the security industry. I find this report deeply concerning on more than one level.
Key Observations
Before going into extended thoughts, here are my quick-hits:
* High-stakes compliancy: Part of the problem here is that compliance has become a high-stakes game. Rather than actually comply, we're now seeing the ill-gotten result. People will do anything possible to get a passing score, even if it means cheating, lying, or otherwise acting without integrity.
* Can't trust people: This is a very disconcerting to me. If we cannot trust the people we work with, then who can we trust? Yes, trust yourself, but consider the broader ramifications of this sad reality.
* The compliance house of cards: Compliance as it exists today is a house of cards. We now have proof that it's built on a foundation of lies and deceptions. If this house of cards falls apart, then be forewarned that the reaction could be swift and severe.
* Housekeeping is needed: There are a lot of good people out of work today. If you're a dishonest person who is lying about audit data in order to "pass," then I think it would behoove you to be on the look-out. Now is an extremely good time to make sure the right people are on the bus.
Impact on Regular Audits
Routine audits by outside parties has long been lampooned as ineffective and generally quite useless. I look at the new report and think a couple things. First, if you think audits are bad today, wait until the regulations requiring them start beefing up in response to the loss of integrity in the system. Second, it's long been my opinion that audits fail in value because of the auditors involved; lacking experience and access.
If this trend continues of organizations knowingly misrepresenting their state of compliance, I would fully expect the federal government to change the rules, just as they did with the so-called "stress tests" for the financial services sector. You think auditors are a pain now? Wait until you're required to provide full access to all of your systems and data, backed by indemnification from the government. Don't think that will happen? Keep making a mess of things and let's see.
More importantly, though, is the need for reformation in the skills of the auditors. If I were going to write requirements for auditor qualifications, I would start with 10 years verified experience performing penetration and process testing, and then work on increasing salaries. In reality, you want your auditors to be top-notch professionals, not the people who are new to the field. Watch out if this happens, though, because you won't be able to cut corners as well then.
Bottom line here: if things continue down the current path, we should fully expect draconian mandates from the central government. This is not a desired outcome by any stretch of the imagination.
Impact on Self-Assessments
In this case, I'm using "self-assessment" very loosely. Any sort of internal assessment, whether it be for publication or not, is a self-assessment. In some cases, attestations are made based on self-assessments (see PCI SAQ). Other times, your self-assessment is for your own private, internal purposes. Regardless of your definition or use-case, it is imperative to understand the threat represented here.
If you cannot trust your employees, then you have a major problem. Due to this report, if you have 5 security people in your organization, then at least 1 of them is lying to you right now about something they've assessed. If you scale this up, there is simply no reasonable way that a C* can directly verify everything themselves. It is simply not realistic. Moreover, the point is not whether or not a C* can verify everything, but that the C* now has to be concerned about the reliability of information presented.
The impact of this realization is quite startling: major problems may be lurking in your environment unbeknownst to you. You are now required to either spend your own time independently investigating matters ("verifying"), or you'll have to find trusted outsiders to bring in to ferret out the truths for you. A loss of trust is very expensive.
Cop Out: "Trust but Verify"
I've never been fully comfortable with former Pres. Ronald Reagan's quote "trust but verify." It seems to me that if you truly trust people, then verification is not only not needed, but the act of verification immediately belies that trust. It's a cynical position, and yet it seems increasingly to be required. I find it very disconcerting that we must use this hedge against the realities of modern society.
Of course, one could argue that IT itself is build on the back of "trust but verify." Much of what we do in infosec is verify that an individual, system, or application should in fact be trusted. I have to wonder if this doesn't set a negative tone across the industry and the enterprise. "We do not implicitly trust anybody or anything." This of course balances against "once bit twice shy" I suppose, but it seems very jaded.
Is this really what we've come to as a people? That we cannot trust anything or anyone implicitly? How sad.
Impact of the Admission
I'm very concerned about the potential impact of this survey. I think it demonstrates very bad judgement (who admits to cheating, really?!?), but it also demonstrates what is likely a very serious problem. We already have enough problems to deal with (lack of innovation, a compliance-only focus, challenges with evolving defenses, increasingly sophisticated attackers, etc.). We really cannot afford the distraction of now having to thoroughly verify and re-verify the work of those working alongside us.
"Fool me once, shame on you. Fool me twice, shame on me."
The Status Quo: Cutting Corners
One of the things I'm extremely concerned about is the apparent status quo. People are so intent on achieving a compliance checkmark that they are apparently willing to violate the very nature and purpose of the process. It's no wonder so many major incidents are occurring despite PCI DSS being in place for a few years now. Is it really the state of American business that we can lie so openly about things? Look at the state of the economy and Wall Street and the mortgage industry and residential real estate. Look at how these houses of cards have fallen lately. Have we learned nothing from the events around us?
More importantly, what does this say in general about our ability to learn lessons? Are we so incapable of learning from the mistakes of others? Are we doomed to fail miserably? The thought struck me a few years ago, while visiting Rome, that in 2000 years tourists may be visiting the site that was once known as Washington, DC, talking about the high point and sudden collapse of our modern society. The thought was fleeting, shrugged off with a knowing nod that our people were resilient. Yet, I cannot help wondering if this rationalization was merely a way to appease my mind; the lie I told myself so as not to accept what would be true.
The Bitter Medicine (Remedy)
My biggest concern out of all of this mess is that it will trigger draconian regulations from the federal government. If you think PCI DSS is bad, wait until your coffers are drained by mandatory quarterly audits by a bureaucratic machine. If you want to see small business crushed, here is where it will happen. And, lest you think the small businesses will be exempted, bear in mind that these are the very orgs most often culpable in misrepresentations of compliance state (whether intentional or not).
Closing Thoughts
This portrayal of the situation may seem a bit apocalyptic, and I would certainly agree with that sentiment. However, I feel very strongly and passionately about the importance of trust within society, and I fear that we have gotten far away from a healthy place in this regard. It is my hope that everyone will take this survey as a reminder that we have much work to do when it comes to improving the information society to a place that is beneficial multi-laterally and without limitation.
I grew up in an academic - yet soundly conservative and religious - household, most prominently at Concordia Colleage in Moorhead, MN, where my Dad teaches Mathematics. Following are the first two verses of the "Hymn to Concordia" - the official anthem of the college. I'm no longer a religious person, but these words came to mind as I thought about the article and what it really said about society.
On firm foundation grounded, Concordia fair doth stand,
with love and hope surrounded from God’s almighty hand,
To sacred truth, Concordia, May thou e’er faithful be,
’Til "Soli Deo Gloria" we sing eternally.In strength and faith forever, lead us where those have trod,
whose toil and chief endeavor have brought us close to God!
All hail to thee our founders, Concordia honors thee,
As "Soli Deo Gloria" we sing eternally.
