Data Breach, Anyone?

Recently, Kaspersky admitted they have been hacked. No wonder, they’re one of the primary targets. We have enough cases in the IT security industry where the company that was taking security very seriously got hacked anyway.

There have been a few very interesting stories – for example the Heartland Payment Systems in 2008 was PCI DSS compliant, but there was a period during the data breach during which they were not PCI DSS compliant, while after the breach they were compliant once again (if I am not mistaken, that was among the investigation conclusions).

The more aware of us (I’m certain that includes the readers of this brief opinion blog) realize we are living in very strange times. Once upon a time, the IT security industry was beautiful: the job for skilled specialists where you are learning something new every single day. Today, there are pen-testers who do not know how to tune nmap, they recognize XSS only by means of a webapp vulnerability scanner, or they offer the clients security services that they have no idea how they work and why they are even necessary.

For example, I’ve seen an advertisement recently on a social media network offering anonymous surfing, encrypted email, and secure cloud storage (let’s call this security SaaS). I realized I actually know the folks behind – and I also know that they have NEVER done anything in IT security. So the question is: how far will the IT security go until it will collapse because of incompetent “specialists”?

Another example is a “security specialist” making changes to the cybersecurity strategy, while not actually being aware of what cybersecurity in fact is. Lesson learned when I saw one of the key aspects in the cybersecurity marked as “not important”. Bummer.

I am not worried about my future, I will be able to find clients who understand the real value of a proper professional service and when (if) I realize I’m not good enough and can’t keep up with the IT security train anymore, I’ll jump out shouting “So long and thanks for all the fish.”

I am worried about the future of the IT security in general. IT security became the buzzword and attracted so many non-skilled persons who are able to pass some fancy sounding certificate exams just like they pass the driving license exams. Companies that rely on these services are putting themselves at critical risk. It’s just a matter of time before they realize that their security is based on “water”.

Going back to Kaspersky, if such big company, full of specialists with high reputation, had security related issues, then take a minute to think about these “quickly home-brewed security specialists” and their qualities. And the impact on their clients? Data breach anyone?

Boris Mutina is freelancer with more than a decade of experience in IT, security audits and advisory, education, cybercrime analysis, and investigation. Among other projects, he is currently developing, with another freelancer, an online brand protection and information leakage online detection tool.