I’ve dedicated more than a few hours to watching and rewatching Peiter “Mudge” Zatko testify in front of the Senate Judiciary Committee. Over the last few weeks, I also read and reread his whistleblower complaint and the supporting documents. Undoubtedly, it’s fascinating reading and an opportunity to learn from the hundreds of soundbites and quotes about what should have been in place at Twitter from a data security perspective but wasn’t.
However, over the last few weeks, I’ve been increasingly more fixated on the insights that the testimony delivered about the implications for the governance of data security from the board to regulators. It’s surely through these governance bodies that the future of data security will be shaped—starting with your board members.
Asking The Hard Questions
It’s inevitable that after a significant and newsworthy cybersecurity event like this that board members will ask themselves what the implications are for them and their business if this were to happen on their watch. In this instance, boards are faced not only with finding out from their executives and the CISO whether they have specific capabilities or plans in place to address the issues raised but also with dealing with more esoteric trust issues. Questions like, “Can I believe the current security status reports?” or “Are we being told everything important about security, or is some information being purposefully withheld?” are, sadly, questions that aren’t easy to answer with a simple yes or no from the people preparing the reports.
The absence of regulator-mandated whistleblower channels, as highlighted in the quote from Mudge below, leaves boards with the dilemma of how to encourage greater transparency without adding more work for the security team to manage.
“FTC and other regulators don’t have laws or rules that would create whistleblower protection programs for people while they were still in these organizations.”
Ensuring that potential whistleblowers have a means for raising anonymous cybersecurity concerns to an independent body, without fear of repercussion, is the most likely response from boards to reduce the surprise factor.
It is, however, in the simpler questions inferred by Mudge in his quote below that boards will likely focus on determining their level of trust in the security of the organization post the revelations from the testimony.
“First, they don’t know what data they have, where it lives or where it came from.”
Hearing the problem of data visibility stated so simply, it’s hard to believe that organizations won’t have answers to the same questions on what data they have, where it lives and where it comes from. The truth is that these are hard questions to answer without specific investments having been made into technologies and processes.
These three questions are nearly impossible for any organization not in the cloud to answer at scale, as data and applications are likely to be siloed and unable to be queried without significant engineering effort. The advent of cloud APIs and a centralized control plane gives organizations the ability to quickly query and thereby monitor data flow at scale across a multicloud environment.
It’s equally unfair to expect any CISO new to an organization to be able to answer these questions. With an average tenure of 18 to 24 months, most CISOs could quite fairly be described as “new.” Their focus is more on simultaneously trying to invest strategically in new capabilities while reacting to the latest incident(s) than on unraveling years of technical debt and finding out where data that’s accumulated over the years came from or why they were collecting it in the first place.
“In this case, my concern was more that Twitter didn’t even know what it was collecting,” according to Mudge’s testimony.
But this isn’t the only problem highlighted throughout Mudge’s testimony. In fact, it only lays the foundation for highlighting the broader problem, particularly amid concerns over unfettered foreign government activities in and around Twitter. Mudge succinctly sums up the problem:
“This leads to the second problem, which is the employees then have to have too much access to too much data. And to too many systems.”
Least privilege has always been a clear principle underpinning cybersecurity in all of its forms and is usually a specific principle adopted within organizational security policies. It’s also been a clear principle in modern privacy laws, with clear direction provided that data should only be what’s required to fulfill a specific purpose.
Making A Clear Commitment
The telling part of Mudge’s testimony is that without visibility, it’s obvious that these principles were never able to be complied with but will need to be. Systemic failure to comply with your own security policies and privacy laws is the type of issue that can’t be unseen at the board level and will require a clear commitment to reducing unnecessary data and/or access.
So, will Mudge’s testimony be a catalyst to get specific investment and focus from boards in addressing data flow visibility and reducing unnecessary data and access in other organizations? Data-savvy boards understand that it will take time to rectify years of neglect, but this is a problem that will likely generate greater focus from regulators in the short term.
This article originally appeared here: https://www.forbes.com/sites/forbestechcouncil/2022/11/08/the-future-of-data-security-at-the-board-level-insights-from-the-twitter-whistleblower-testimony/