The ugly truth
"The Independent Committee also found that the Audit and Finance Committee and the full Board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters."
Those of us in the infosec trenches know why this is. Middle management are strongly incentivised to only report good news upwards and to sit on or suppress bad news. Hit the bar at any security conference and find a corporate droid (drinking on his own dollar -- no expenses for us!), buy 'em a drink and probe them for some horror stores... we've seen things you people wouldn't believe. A very large email filtering firm that never applied security patches in production or upgraded OSes, so there were thousands of servers running on decade-old default Linux installs. Developers building handy databases of all the Local Administrator passwords across the organisation - browse to site, enter hostname, get plaintext admin password back -- with no audit trail, access control being membership of an AD group, and no even using HTTPS. Enormous financial services organisations with a completely flat internal network *globally* (cos firewalls are for the perimeter, right?) Mandatory annual "penetration tests" that consist of nothing more than an anonymous external Nessus scan...
The fact is, in most organisations the security people are an annoyance inflicted on the organisation by box-ticking auditors and regulators. We're here to not criticise management's attitude that security means "spend a lot of money on a box with flashing lights", to provide the illusion of a security culture to auditors and customers, and to have someone to sack when the inevitable finally comes to pass.
I seriously think that the soul-crushing grimness and stress resulting from spending years learning about things just so you can be told to keep quiet about it is one of the main reasons there's such a skills shortage. It's not the lack of smart, ambitious entrants at the bottom of the field: it's the burning out in a tangle of blazing metal against the Armco ten years later that's to blame.
If by any chance someone in senior management is reading this: find a junior security person who's been around for a year or two. Buy 'em a drink, Promise them no retribution. Get them to spill their guts...
(I've just realised I should post this as AC... )
Biting the hand that feeds IT
