In breaking news today, information security experts and leaders around the world give up. In uncanny synchronicity, CISOs, CSOs, security auditors, and security consultants up and walked off their jobs.
"It's just so dirty," Niel Iton, CISO, said yesterday morning as he left his information security job as a consultant for the United Nations.
The move appears to be organized but many sources indicate that it's not. There seems to be no central reason such as a new law or compliance objective that they are reacting to. Apparently they all just got fed up at the same time. It appears that they just wanted out of the security industry.
While security leaders and experts have left their jobs in record numbers this morning, it does not appear to be unanimous. The quitters make up only 99% of the professional information security workforce. Specifically, it appears that the quitters are only the ones who don't think security is just about protecting business interests. By the estimate of many business analysts, that means despite being 99% of the workforce, they make up less than 1% of business value.
"If I have to hear one more time that security is about making business succeed I think I'll throw up," said Courtney King, ex-CSO of a nation-wide bank.
Companies have already started responding and compensating for the loss. Ernest Reaves, CEO of Maxilox, a cloud company specializing in the offsite back-up of personal data, explained that they took immediate action.
"After the walk-out, we quickly purchased another firewall to put in front of the first one, secured a license for a second anti-virus product to have 2-factor authentication on the desktops, and picked up a few hundred mousepads that remind people to think before they click on anything suspicious. We've got it handled. No hackers getting in here! So let those quitters just walk away."
Business analysts all seem to agree that it is a good thing that these people have finally left and are no longer a thorn in the sides of executives trying to make another buck. Some are nothing short of ecstatic about the sudden move.
"Good! I'm glad those idiots are gone! They're a friggin costly albatross to businesses anyway," said Sean O'Neil, long time Business Analyst and host of the network television show 'Money Talks'.
"And don't they know they wouldn't have jobs if information security wasn't about business? It's the businesses who hired them and gave them their jobs. It's the businesses who pay for the suits on their backs. It's the businesses that pay them their salaries so they can buy gas for their cars so they can get to work! So of course they're working for the business. If information security isn't about meeting company business objectives what is?"
Meanwhile, of the 1% of security leaders and professionals who did not up and leave today, there's a lot of confusion. Stephen Usher, President and CEO of the one-man Tiger Team, Heavy Pusher Security Consulting is angered over the walk-out.
"Don't they get it?! The business of security is business. Whether it's about protecting the private information of your users so your company can sell it to advertisers, or protecting the copyright of pictures and media that your users upload to your servers so your company can claim ownership of it for reuse or resale, or providing strong encryption on communications intercepted from your fellow citizens so they remain private for police use only, or even if it's just to maintain state secrets of spending tax payer money to defend corporate oil interests overseas, our priority is to support the business. If you can't get in bed with your company's secret mission statement objectives then you have no business being the leader of their information security."
However it might be exactly that which is the problem. Chatter is beginning to rise through tweets and blog posts regarding the walk-out and it appears the problem is business. Posters with #InfoSecQuitters are saying that they are cajoled by some security professionals because they choose not to put business first.
One blogger going by the name of Code King Security writes:
"You know how in that movie where an extraterrestrial alien fleet shows up to take over the Earth and there's that one human guy who sides with the invaders? He gives them the knowledge or help to persecute other humans in exchange for gifts and riches? Well, I don't want to be that person. I, for one, do not welcome our profit-minded overlords. I'm not like that 1% who thinks only in terms of using my security knowledge just to support my company's mission statement. I'm there to use security to make sure business is safe for everyone we are doing business with. Not at anyone's expense."
Indeed, many more bloggers are saying the same thing as Code King Security. Sara Hart is another ex-CISO who tweets, "The business of security is not business, it's security." Additionally she tweets her opinion of the remaining 1%, "Sharks should only protect evil hideouts in movies."
In her follow-up blog post, she writes, "Those pathetic risk and security professionals who are trying to tell us that security is about following a company's business plan or mission statement are just filthy mercenaries out to make more money for their conglomerates and cabals. The security product vendors are the worst. This whole industry is about hawking more of the same crap that does more of the same nothing. The whole security industry has become about profit. Making it or defending how it's made. They disgust me and I want no part of it."
It's hard to say at this point what the repercussions will be from this worldwide walk-out. Political pundits, security analysts, and the Department of Homeland Security are still trying to get a clear picture of the breadth of the problem.
One morning show pundit, Ivan Turnkey gave his take. "Nobody knows what will happen when the only security professionals left are the ones who think only in terms of assets and business objectives. But it's clear that the losers will be the people. Without security leaders in organizations whose priority is the users, customers, and employees that make up the business, security is only going to get a whole lot worse for us all. If you think EULAs and privacy practices of businesses is bad now, just wait and see what happens when the people who fight for the little bit of security we've got now go away and are replaced by the 1% who only want to defend business interests."
Watch #InfoSecQuitters for minute by minute coverage as events unfold. Or take part and sound your opinion.