Lieberman Software
  Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on
April 2013       

Top of Mind

Catch-22: Doing the Right Thing

Philip Lieberman
President & CEO
Lieberman Software

Imagine the following situation: you are told that the company you are working for is about to be compromised, and you have the ability to stop it. In this scenario, you have the option of implementing appropriate security, but you are told that doing so will save the company and people’s lives, but you will lose your job because you upset incumbent stakeholders who do not want the oversight or changes that the security solution provides. So, do you do the “right thing” and protect the company or do the “right thing” for your family (keep your job) and just “let it go”?

This Faustian dilemma faces C-level executives today in many companies that trace their company’s history back more than 100 years and have generations of the same family working for the same company.

The scenario I am describing is that of the companies and providers that are part of the critical national infrastructure that President Obama has been working with to provide a new legal framework to help provide a significant defense against cyber-attacks.

At The Core: We Don’t Need Security or Help

The best way to describe the current cyber-security situation with critical national infrastructure is as a deadlock between the status quo and a secure future – it only exists by the use of a Federal Government mandate to implement security.

As strange as it may seem, the management of critical national infrastructure is being held hostage by employees who have no skin in the game to improve security. Further, any attempt to implement new work rules, accountability and security technologies to provide defense go up against an impenetrable wall that represent a permanent stalemate at best.

In the face of federally mandated rules to implement security technologies such as privileged identity management, all sides find a politically acceptable solution. In effect, the imposition of security and proper process are not at the discretion of management or labor, but are implemented for the general public welfare of everyone without any negotiation or confrontation.

Taking the Fine or Improving Security

The previous scenarios are true and represent the real-world today. Outside of the critical national infrastructure debate (with a potential solution), we see another interesting scenario where poor security and the contingent fines that come with it from regulators, are simply the cost of doing business.

In this scenario, there is an unusual practical reality whereby companies make a proactive decision to accept fines and sanctions for poor security audit results, rather than implement real solutions. In this calculation, there is no life or death situation (as in the previous scenario), only a business decision.

Another Situation: Implementing Security Could Kill Us

Here is a real head scratcher for you. Imagine if you were running a large network with financial transactions. In this scenario you know that your network is owned by criminals and potentially nation-state actors. The network is poorly designed, security is poor to non-existent, auditors have pointed out the situation, but the financial loss from the current status quo is “acceptable” and the introduction of real security controls would result in a massive loss of reputation as well as serious financial loss caused by the criminals accelerating their stealing because their window of opportunity is closing. How would you kill off all the heads of the hydra at once with 100% confidence that you have closed all of the backdoors permanently knowing that your own employees may be part of the problem?

Security: Technology and/or Culture

The definition of a Catch-22 situation is that there is not always a best outcome. When it comes to security, technology is important, but culture and business realities can make the “right” decision a deal with the devil if there ever was one. The nice thing about a law regarding security is that “right” can be a lot clearer to define and implement since there are few choices when it comes to deferring implementation and its scheduling.

What do you think? Email me at: You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.
What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • Cloud Computing and the Financial Services Industry: a Q&A. Are security issues preventing financial services firms from adopting cloud computing? If so, what can be done to improve cloud security and encourage financial firms to migrate to the cloud? To find out, we sat down with our very own Philip Lieberman. In addition to serving as Identity Week’s Editor-in-Chief, Phil is also President and CEO of privileged identity management vendor Lieberman Software...
  • Defending Against Nation-State Cyber Attacks. If you’ve been following the news over the last 6 months or so, you may have noticed an uptick in articles related to Critical National Infrastructure (CNI) security legislation. You may have also seen more reports of cyber-attacks against a wider variety of targets by entities other than criminal elements seeking financial gain. Why is that?...

Events / Press / Analysts
  • Facebook vs. Salesforce: An Identity Smackdown? Dark Reading. Some say Facebook's growing role as online identity provider could make it a potential enterprise IAM tool, others say Salesforce would have better shot as non-traditional IAM provider.
  • Don't Count Out Active Directory For Cloudy Future. Dark Reading. Because Active Directory (AD) was first developed in an era before SaaS services, some security proponents might make the case that it hasn't adapted well enough and doesn't have the architectural flexibility to future-proof itself within the increasingly cloud- and mobile-centric enterprise.
  • Study: Neglecting Security Opens Doors For PIM. Channelnomics. It probably comes as no big surprise that employees regularly override, neglect and sometimes downright ignore security directives. Let’s face it, cumbersome rules often get in the way of performing job functions effectively and efficiently.
  • Survey Finds That Security Policies and Rules Are Ignored, Even When From the CEO. TechZone 360. The drumbeat of observations about what to do about the troubled and troubling state of cyber risk management in enterprise IT shops is getting louder, seemingly in lock-step with the headlines highlighting how the bad guys are continually upping the stakes along with the frequency of their attacks. And, at the recent RSA security event, I was struck by the number of speakers who highlighted the fact that at the end of the day, security comes down to having educated users who follow best practices as possibly the best way to mitigate the risk of most threats.
  • Do Workers Ignore Security Rules Deliberately? Business News Daily. Regardless of whether it comes from an employee in the next cubicle or a top executive in the corner office, the vast majority of IT professionals believe their co-workers disregard security rules on purpose, new research shows.
  • Survey: Staff Ignores IT Security Directives. GRC Daily. A recent survey from Lieberman Software Corporation reveals that more than 80% of IT security professionals believe that corporate employees deliberately ignore security rules issued by the IT department.

Tech Tip of the Month

Retrieve admin passwords directly from the
Microsoft® System Center Operations Manager interface

Enterprise Random Password Manager (ERPM) and Random Password Manager (RPM) customers can get all the benefits of deep, out-of-the-box
integration with Microsoft® System Center Operations Manager through the E/RPM Snap-In for Operations Manager. Thanks to this deep integration, authorized users can quickly retrieve administrator and root account passwords directly from the Operations Manager interface. Here's how.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.
Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
           |    (01) 310-550-8575  |