If a company is serious about security, then who in the company is serious about security?

[Originally from a longer essay]

Let’s talk about EquiFax. They were hacked and data regarding 145 million people was leaked. When the CEO was hauled before Congress to explain himself, he emanated a nonchalance that offended people. John Oliver had a nice take down:

After this disaster was well known to the public, EquiFax hired ReliaQuest to manage their server security. I have friends who work at ReliaQuest, and I know it is a great company full of great people. If you need a company to simply watch your servers and warn you about intrusions, ReliaQuest is a great choice. All the same, one can not outsource one of a company’s core functions, and for a firm that deals with sensitive financial data, security needs to be a core function. It is reasonable for EquiFax to outsource the janitorial service, but not the management of data.

I’ve been researching EquiFax. As near as I can tell, hiring ReliaQuest is the main thing they’ve done to improve security. Perhaps it is the only thing.

If a company handles people’s sensitive financial data, then I would like the CEO to be the type of person who wakes up in the morning thinking about security, goes to sleep at night thinking about security, and never has security far from their mind during the day. So to hire a security company, and then act as if security is a solved problem, is troubling. There are many other ways for a company to be hacked. Social engineering is a danger, and most company hacks are inside jobs. Hiring a firm such as ReliaQuest does not protect you from having one of your own employees steal data and sell it to the Russians. Protecting against internal attacks requires hard thinking by the top leadership of the company. The job can not be outsourced.

But I don’t mean to only focus on EquiFax. I’ve seen many small companies where computer security was considered the exclusive job of the tech team. I recall a jewelry manufacturer in Richmond, Virginia, which had about 100 people, including a tech team of 3. Top management of such a company has the option to educate everyone about the importance of security, or they can just leave the task to the tech team. The tech team is often happy to gain the power granted by being in charge of such an important function. And then they implement silly rules, like forcing all passwords to change each week — minor rituals that annoy a lot while offering little real security. Real security could only come from educating the staff about the open nature of email, the importance of using encrypted communications, the importance of protecting the intellectual property of the firm. A company with 97 ignorant people and 3 security minded people can never be as secure as a company with 100 security minded people.