Remember the old TV show Hogan’s Heros? It was on a few decades ago but you can still find it here and there. If so do you remember a character Sgt. Schultz, who when something bad happened always exclaimed, “I know nothing…nothing!!”? A few years ago when working for a large technology company I was doing a security review with a major university a very large very high-tech university. And when we reviewed some obvious shortcomings of their current security posture with the CIO. I received a very startling but not completely unusual response. The CIO the highest person responsible for the technology and technical security told us, “that he did not want to know what security problems he had because then he would have to do something about it and if a problem happened he would deal with it then”. There was a lot to say but at this point, I was dumbfounded. I have heard about this type of attitude before, but usually not spoken out loud in a public forum. But I said nothing. We left there shaking our heads.
Who Is Responsible?
This is a very good university with a very good reputation, they had funding for important projects, they had excellent staff and onsite consultants that kept things working in IT. So why was this happening? I remember looking across the room at the person at the university responsible for security at the technical level. And he could not even look up. I could see he was embarrassed. He was a good man that wanted to do the right thing. But he had no say in this strange unwritten policy. And he could not do anything about it. It was the responsibility of people higher than him. People who had the authority to initiate and fund important security policies that could protect the students employees and the institution. People who could protect the entire university but it was not being done. Because of an exercise of self-preservation at a very high level.
Chickens Come Home To Roost
A couple of years later the inevitable happened. The university was struck by a major DDOS attack which caused a very large breach in their weak security. Literally, tens of thousands of student and employee records were stolen never to be recovered. The costs are still racking up years later. It made the front page of the news for weeks on end. It was an embarrassment of huge proportions. And why? Because one man was able to say like Sargent Schultz from the old TV sitcom Hogan’s Heroes, “I know nothing!! Nothing!!!” Do not let this be your company or organization. Your responsibilities are big and varied, none as fundamental as keeping your users safe and protected. If you are responsible for your organizations security, then be responsible. This is why security needs to be decided at the executive level so these types of things do not happen.