Personal responsibility in InfoSec industry

ChooseLife

Hello,

Question to those of you who work as InfoSec Officers or in similar roles (full time for a single company, not consultants):

How much personal responsibility does working in InfoSec usually entail in North America?

Do you have legal or financial responsibility? What happens when a security breach occurs? In news I often read about CSO's of large companies stepping down after a major breach - are they getting fired or is it sort of moral codecs? How often does it happen (any breach, major ones, ones receiving media coverage) and is it the same for smaller companies? Are these individuals able to continue working in the industry?

I have the opportunity to move into a role of a security person for my current company. It's a smaller company (100 people) but growing and introducing new positions often. I have been with the company for some time as a server admin and have somewhat of a reputation of a security freak (which indeed I am). My boss stated we need a dedicated security person and hinted at me a couple of times in conversations.

I feel that if I want to move into InfoSec, this would be the perfect opportunity to make a smooth transition and get that first experience of full-time security person.

My concerns are that if/when a breach occurs, I could be made a scapegoat and get fired or sued, with diminishing chances of getting hired afterwards. My family generally does not want me to do InfoSec because they perceive at as an industry with high personal responsibility.

I am already doing a lot of server hardening, network/system security design work, certificate and encryption key management as part of sysadmin duties. I feel more or less comfortable about own technical abilities, but in other areas (processes and procedures, and general leadership as a security officer) still have a lot to learn.

Any comments and advice of seasoned professionals are welcome. In the current role, I am not afraid of being responsible for managing critical infrastructures, but the idea of potential legal and financial responsibility is much less comfortable.

afcyung

ChooseLife wrote: »

Hello,

Question to those of you who work as InfoSec Officers or in similar roles (full time for a single company, not consultants):

How much personal responsibility does working in InfoSec usually entail in North America?

Do you have legal or financial responsibility? What happens when a security breach occurs? In news I often read about CSO's of large companies stepping down after a major breach - are they getting fired or is it sort of moral codecs? How often does it happen (any breach, major ones, ones receiving media coverage) and is it the same for smaller companies? Are these individuals able to continue working in the industry?

I have the opportunity to move into a role of a security person for my current company. It's a smaller company (100 people) but growing and introducing new positions often. I have been with the company for some time as a server admin and have somewhat of a reputation of a security freak (which indeed I am). My boss stated we need a dedicated security person and hinted at me a couple of times in conversations.

I feel that if I want to move into InfoSec, this would be the perfect opportunity to make a smooth transition and get that first experience of full-time security person.

My concerns are that if/when a breach occurs, I could be made a scapegoat and get fired or sued, with diminishing chances of getting hired afterwards. My family generally does not want me to do InfoSec because they perceive at as an industry with high personal responsibility.

I am already doing a lot of server hardening, network/system security design work, certificate and encryption key management as part of sysadmin duties. I feel more or less comfortable about own technical abilities, but in other areas (processes and procedures, and general leadership as a security officer) still have a lot to learn.

Any comments and advice of seasoned professionals are welcome. In the current role, I am not afraid of being responsible for managing critical infrastructures, but the idea of potential legal and financial responsibility is much less comfortable.

I can't comment on what type of legal culpability the company you work for would try to levee against you. I would hazard unless you are a C level executive in the company that you ultimately aren't held responsible. You will probably see that as you delve into the Risk Management piece of Infosec that the people running the company will be making calculated decisions about what risks to mitigate and what risks aren't worth mitigating based on cost. Its not just about doing the technical side of computer security properly configuring servers/clients/networks but also policy issues on proper use of the companies private lan etc. I have found that as the lead information assurance manager for my location that I am an adviser to those tasked with making decisions. If we disagree on an issue I document it in case it comes back to bite us.

Even with an infinite budget for security it would be possible to breach your network. Simply because you can't control what the users on your network are going to do. They could fall victim to a phishing email that has an attachment with malicious code that exploits a zero day attack on the PC, allowing an adversary the ability to exploit the PC and potentially other areas of the network exfiltrating data and intellectual property. As the lead security guy it would ultimately be up to you to make a recommendation and up to the C-level executives to either implement your recommendations or accept the risk.

Not to say that you can't be fired. obviously if you fail to do the due diligence on issues arising at your location you could be let go, but that could happen in your current role so in my mind no reason to worry about what might happen.

Some lite reading : http://csrc.nist.gov/publications/PubsSPs.html NIST has a lot of good pubs on infosec
http://iase.disa.mil/stigs/index.html DISA puts out very detailed instructions for technical and policy implementation as well called Security Technical Implementation Guides.

paul78

Sounds like a good opportunity. People "step down" usually because they are asked to. Its not different than a sales person that can't make quota. Or a sysadmin that never does backups. Its about how well you execute your function and the value you bring to the oganization.Just because there is a breach doesn't mean that the ciso is culpable. Security is a team sport. Just like customer service, etc. In a company.If I stop being a contributor - then I expect to be fired. Good luck on your journey.

paul78

Sounds like a good opportunity. People "step down" usually because they are asked to. Its not different than a sales person that can't make quota. Or a sysadmin that never does backups. Its about how well you execute your function and the value you bring to the oganization.

Just because there is a breach doesn't mean that the ciso is culpable. Security is a team sport. Just like customer service, etc. In a company.

If I stop being a contributor - then I expect to be fired.

Good luck on your journey.

forestgiant

paul78 wrote: »

If I stop being a contributor - then I expect to be fired.

I wish it were that clear cut. Reality is there's so much politics involved in a security breach. Company's image could go down the drain, loss of revenue due to customer exodus, or top dogs not wanting to look bad are just some of the reasons. Infosec is a delicate balance between security and convenience, sooner or later someone will accidentally or intentionally break something. Doesn't mean that the ciso and his/her staffs didn't do their job, it's just that we live in an imperfect world and once **** hits the fan the management would need to sacrifice someone to show investors they are doing something.

paul78

forestgiant wrote: »

Reality is there's so much politics involved in a security breach.

I respectfully disagree. A good security manager designs an incident management program to manage a breach and reduce the politics. In any breach, it about gathering facts and evidence in a manner that is legally defendsible. Infosec isnt about eliminating security breavhes. Breaches will happen as you said.But if I have done my job, the controls are in place which reduce the probability of a breach and the business understands and accepts the residual risks,then the should be no fear of being the scapegoat.

afcyung

I agree with Paul78. Infosec is not just the CISO or equivalents job, its every ones job.

ChooseLife

I appreciate all comments, though there seems to be some disagreement. Gives the insight into the industry.

paul78

ChooseLife wrote: »

Gives the insight into the industry.

Sorry, I should have added the disclaimer that my previous comments are based on US law and corporate practices. If you are outside the US, my comments may not apply. I understand you are concerned about personal liability. In the US, that liability doesnt normally extend to the employee. Even if you represent tje corporation as an officer, your liability is limited to gross negligence and misconduct. Frankly, inif there was a lawsuit, the plantiff would go after the entity with the deepest pockets which would be the corporation with E and O insurance. I am not saying that there is no personal liability in a job. But its not specific to infosec. For example, in the US, managers can be held personally liable for FMLA violations and sexual harasshment regulations. If you are really nervous, you may want to consider consulting an employment attorney. If you are in the US, based on your characterization of the position, this sounds like a good opportunity if you are interested in a leadership role. Best of luck in your decision.

ChooseLife

I'm in Canada so I'd imagine the practice is not very different here.

You are talking about the customer or other affect party being the plaintiff, but what about the unhappy employer? Say, if a breach occurs in a way that can be attributed to the security person's mistake or negligence, what are the chances of the company taking an action against the employee?

your liability is limited to gross negligence and misconduct

Can you elaborate on this one, plz? (we can insert a legal disclaimer here )

So basically, I perceive InfoSec people to be at a higher risk of getting fired or otherwise be held personally liable than people in other professions, because of the impact their mistakes have. Three opinions expressed in this thread are not unanimous and so my doubts are not resolved yet...

ChooseLife

Found this document, addressed directly to me

http://www.sans.org/reading_room/whitepapers/infosec/information-security-starting_33239

Information Security: Starting Out

"...Going from technical guru to Information Security Manager can be a bigger step than
you might think. Taking on the role of IT Security Officer in an enterprise that treats
information security as an IT problem can offer many challenges and many opportunities
to learn. Each organisation is unique and identifying those approaches that do not work
is an important step forward in the journey to an effective information security program.

This paper is focused on delivering some broad guidance to the newly appointed
information security professional. A direct reflection of the author’s experiences, it
targets administrative areas that are often over looked by those with a strong technical
only background..."

afcyung

ChooseLife wrote: »

So basically, I perceive InfoSec people to be at a higher risk of getting fired or otherwise be held personally liable than people in other professions, because of the impact their mistakes have.

Based on what though? Have you seen data that says as much? If you are worried about being a scape goat than don't let yourself become one. If you are worried as was mentioned earlier you might want to contact a lawyer to address your concerns. If you aren't comfortable than don't take the position. It sounds like a great way to get into security but if thats not your passion than I would pass.

nicklauscombs

ChooseLife wrote: »

Can you elaborate on this one, plz? (we can insert a legal disclaimer here )

Security guy here:

There is so much grey area in this discussion but for simplicity's sake since you seem to want some sort of "real world" scenario that could be labeled as gross negligence here's my 2 cents (obviously not a lawyer). A simple scenario would be defiantly breaking company policies/procedures that causes inherent danger to the company (whether it be monetary, degrading of the company reputation, etc...). Something like posting proprietary information, device configurations, usernames/passwords out on the internet comes to mind (whether that be maliciously or something as innocent as to your personal email so you can look over them at home after work wouldn't matter if it breaks explicitly stated policy). I think you are getting too hung up on the technical security side without considering the business aspects of security. Businesses calculate risk to the organization and you better believe user error is in that calculation. Any business worth a damn and even ones who aren't are putting you in place (and paying you a salary) as a security employee to help them mitigate that risk and not for the reason of dumping all the blame on you when something goes wrong (if they wanted to do that they wouldn't need to make you a "security" person they would just do that to any employee who might be at fault). The bottom line is you are a cost to the company but they think by paying your wages you will help mitigate that risk to the point where your salary costs far less than any breaches that will happen.

Why not voice these concerns to your superiors? It seems like an open and honest conversation would be a good idea if you are this worried.

paul78

@nicklauscombs - great examples but you described misconduct. When I said negligence, that refers to things like allowing a web app to be deployed without a firewall or setting up new office space without locks on the front door.

@chooselife - hopefully the paper addressed your concerns. Like afcyung, I too am curious about your perception on personal liability. Like any other profession, with increasing responsibility in career advancement, there will always be additional accountability.