Why I Don't Support Mudge's Decision.
You’ve no doubt seen the whistle blower claims this week from Peiter Zatko about Twitter – and he’s probably dead-on correct about their lax security. Nothing he says about cyber protection at the company seems out of whack. In fact, it all sounds pretty familiar.
The primary issue appears to be that Twitter has serious identity and access management issues. And the former security chief, known to us as Mudge, and recently fired by the social media giant, claims that the executive team is unwilling to make changes.
Now look – we don’t know what we don’t know. Maybe some truly sinister stuff is going on behind the Twitter curtain. But I doubt it. This is probably the usual type of awful security problems at the usual type of company.
Welcome to the job of being a CISO.
First off, the position of CISO should never be given to a celebrity hacker. The CISO position is an executive position, one that requires years of corporate development and a calm willingness to become a senior executive, not to fight with them. Alex Stamos, you will recall, had similar challenges at Facebook.
Second, I do not think Zatko’s career resume, including time in the government, warrants him getting the CISO position. I know hundreds of capable rising security executives who have learned to drive initiatives, change opinions, and improve the culture in an enterprise – who would have been better choices for the job.
领英推荐
In fact, I would never have recommended Mudge for the CISO position at Twitter. It was done because he is well known and prominent. Period. That’s why he got the job, and it’s why he did not last more than two years. Penetration tester would have been a better fit.
Third, I do not know of a single working CISO who is not terrified of at least a dozen major issues that require immediate attention in the company – and who are frustrated with senior management. This is the job. This is being a CISO. Welcome to the life.
So now, we will be treated to a long series of high-profile interviews with Mudge on television, news media, print media, streaming, and so on. I’ll bet he gets a movie deal. And yes – he is correct about the lax security – but the whistleblowing is to what end?
The bottom line is that the job of CISO involves fixing the types of things Mudge is whistle blowing, not to fail, get fired, and then call the news media to complain. I am terribly sorry to have to write this because I’ve admired his fine career. He knows a lot about security.
I know many of you will not agree with me – but this is what I believe.
GovStar Winner for Architecting FedRAMP | CISO | Published Author | Cybersecurity Law & Governance
2 年As Mr. Amoroso states, "Maybe some truly sinister stuff is going on behind the Twitter curtain. But I doubt it. This is probably the usual type of awful security problems at the usual type of company." After all, the highly reputable and publicly available SSL Labs scanner does assign Twitter an A for its two publicly facing IP addresses. This incident begs the question on whether there will be a new trend of cybersecurity SMEs blowing the covers on their employer and becoming whistleblowers. And while Twitter is highly visible, it is not critical infrastructure. Would doing the big reveal on critical infrastructure companies be seen in the same light?
Principal Advisor|Researcher at Cybersecurity CMMC Practitioner|Assessor Advisors, LLC
2 年Here is the link to the full Judiciary Committee hearing next Tuesday morning on the topic: https://www.judiciary.senate.gov/meetings/data-security-at-risk-testimony-from-a-twitter-whistleblower
Head of Platform Security @ Plaid
2 年If he was party to material misstatements to the board, as he says he was, then he was at risk of serious personal legal trouble. To me, that's the core issue here. It's one thing to have crappy security, although he describes a state much worse than I'd expect from a company the size, age and importance of Twitter. It's quite another to mislead your board about it. I have no idea how truthful his claims are nor what role his own lawyers played in his decision to turn whistleblower, but I know that if I felt I was involved in material misrepresentations to the board, I would immediately call my own lawyer and do exactly what they said.
v CISO | Cyber Governance, Risk, & Compliance | Technical Cyber Advisor | AI | Systems Transformation | CISSP
2 年Edward, lets get real... Mudge did not tell us anything we did not already know... gapping holes, CxOs that don't understand "good enough security" (wink Pete Lindstrom) vice ROI. I am with Ira, (it sometimes pains me to say that my friend), after two decades of serving as a CxO advisor at some of the largest/sensitive IT/OT entities, the world would be shocked to learn how fragile our lives really are... and BTW, Twitter is NOT a critical infrastructure. Twitter could go away today and the impact would be infinitesimally smaller compared to the loss of any one of the critical infrastructures (electric, food, water, O&G, banking, manufacturing, PNT...). Role of the CISO is to protect the entity to a level of "chosen risk".... usually by translating risks into $s that CxOs and boards can understand/fund. Fighting that fight and winning is very challenging. Feel for Peiter "Mudge" Zatko, as all CISOs suffer in silence from intense cyberwar fatigue. Peiter's service at Twitter was a waste of great talent that could have been better used to protect a high impact entity worthy of his time and talent.