SEE EDIT. I MISSED A CRITICAL COMM THAT HAS SWUNG MY OPINION TO ONE OF SATISFACTION AND EVEN PRAISE: I'm not very happy with a lot of the security community right now. Every time an Okta, a Solar Winds, an Equifax, a Target, a Home Depot, etc. happens, many of us turn into sideline critics even though we don't have all the information. Is Okta releasing info at a rate I would appreciate? No. Are they as transparent as I would like them to be? No. Is there a security team who probably wishes they could be more transparent than the lawyers will let them be? Probably. From what has been released, do I feel like they weren't on top of their game? Maybe. Not no. Just maybe. And here's why:
I have zero clue what the full pictures is of all controls that were actually in place... what controls were planned to be in place... what the CISO was up against in terms of getting resources... where what other risks were stack-ranked vs. the one that got them... how the business invested in mitigating or managing those other risks...
None of us have the full picture.
So those of us who are bashing, please stop and consider: If it was you tomorrow, you would be less hard on yourself because you would know the challenges you were up against. And you probably would not be able to disclose the details of those challenges either.
Let's assume that all of our brothers and sisters in this fight, whether they got compromised or not, face similar challenges to the ones we face every day. Let's support each other and recognize that this job is hard - for all of us. I'm not super happy with this one, but I'm not super critical either...
EDIT: BLOG POST FROM OKTA THAT I WAS DIRECTED TO, THAT WAS ACTUALLY PUBLISHED _BEFORE_ I POSTED : https://lnkd.in/eyDNqNC9
EDIT: Transparency and comms improved dramatically with that blog post. Well done, Okta! And I should have checked on the latest before posting... Lesson learned.
#informationsecurity #cybersecurity #infosec #ciso
I have zero clue what the full pictures is of all controls that were actually in place... what controls were planned to be in place... what the CISO was up against in terms of getting resources... where what other risks were stack-ranked vs. the one that got them... how the business invested in mitigating or managing those other risks...
None of us have the full picture.
So those of us who are bashing, please stop and consider: If it was you tomorrow, you would be less hard on yourself because you would know the challenges you were up against. And you probably would not be able to disclose the details of those challenges either.
Let's assume that all of our brothers and sisters in this fight, whether they got compromised or not, face similar challenges to the ones we face every day. Let's support each other and recognize that this job is hard - for all of us. I'm not super happy with this one, but I'm not super critical either...
EDIT: BLOG POST FROM OKTA THAT I WAS DIRECTED TO, THAT WAS ACTUALLY PUBLISHED _BEFORE_ I POSTED : https://lnkd.in/eyDNqNC9
EDIT: Transparency and comms improved dramatically with that blog post. Well done, Okta! And I should have checked on the latest before posting... Lesson learned.
#informationsecurity #cybersecurity #infosec #ciso
