Read the story on Peiter Zatko going public on the security and management mess at Twitter following his firing as CSO last January. This is a very big story, making public not the political bias at Twitter but the total management failure and malfeasance. Not surpassingly, the Twitter executives have thrown mud at Mudge, but note this quote from the article:
Casey Ellis, Founder and CTO at Bugcrowd, shares his opinion:
"Mudge has a long and rock-solid reputation of putting integrity first. He's also one of those InfoSec elders who rarely sticks their neck out to make a fuss, but when they do it's almost certainly worth paying attention to. This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before its time.
Judging by the way the InfoSec community has closed ranks around him this morning, others clearly feel the same way. InfoSec doesn't suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves."
I'd assume that many of the critics have very little experience dealing with actual ethical challenges. The assumption that Mudge woke up one day and decided it was time to blow the whistle is relatively laughable.
What professionals do, or at least should seriously contemplate to do, is to talk to peers, mentors, and advisors they trust to validate their position and have it challenged. Knowing Mudge's history I am almost certain that this is what he has done in preparation of his final decision. I have no doubt that he made the right choice and his points have standing.
Good ethical decisions are rarely made in isolation, or in darkness.
The timing of this dropping is suspiciously close to Elon's court case with Twitter in Oct.
Anyway, while I have no doubt Twitter does have some serious security and privacy issues, I couldn't hire Peiter for a CISO role because I couldn't trust him at this point. If we disagreed on the importance of a security issue would he just report it publicly again with just his side of the story? This might seem overly harsh but it seems like he's a very good technical CISO but has terrible leadership skills on actually pulling the different department heads together to implement a security program.
At the end of the day, does this help or hurt the security industry?
Your reply leads me to believe you do not know Mudge or his history, and did not read either the complete article I liked or the deeper dive in the CNN article linked at the end of tha tone.
Read both articles to learn how he tried to inform the Board, was thwarted by the CEO and CTO, and only then fired.
I do not know him personally, but would d hire him in a heartbeat.
I guess this is where I, again, point out our own Code of Ethics ...
This order is intentional because a professional should always choose ethics over loyalty.
In absence of evidence to the contrary, we have to assume Mudge did exactly that.
I'm not saying he didn't think he was acting ethically but it is a dangerous precedence he's setting. Cybersecurity people are notoriously known for over blowing a risk they think is huge when in all actuality it's not for the business as a whole. I hope it's not one of those situations.
I heard Elon's lawyers subpoenaed him for his court hearing in Oct so we'll see what happens as this develops.
@tmekelburg1 wrote:Cybersecurity people are notoriously known for over blowing a risk they think is huge when in all actuality it's not for the business as a whole.
I think that is a generalization that needs qualification. Or perhaps a different phrasing I'd agree with is "cybersecurity people are notoriously known for poorly communicating risk." But I think you touch on something that is truthful. We can run down a litany of security incidents that were serious, caused a real impact for consumers, and maybe some impact on the business in question, but lo and behold, within months the company in question had more than recovered in stock price. So there is something missing in the security risk calculation. In the case of Mudge, I feel like saying "What did you expect?" His hiring was a PR ploy. By the same token, Twitter knew what it was getting. Mudge wasn't going to toe anyone's corporate line.
That's a fair statement, I over generalized that and should have clarified what cybersecurity thinks is a high risk compared to what the business considers a high risk.
Yeah, he was hired in and reported directly to Dorsey without any authority to present to the board. It was an all around bad deal after reading more about his position.
Edit: This is a great cautionary tale of knowing where the role of security fits into the organization before accepting the position for anyone moving into management or a CISO role. If you're hired into the org as the "superhero" there will inevitably be friction with the existing team.
@tmekelburg1 wrote:This is a great cautionary tale of knowing where the role of security fits into the organization before accepting the position for anyone moving into management or a CISO role. If you're hired into the org as the "superhero" there will inevitably be friction with the existing team.
And it's fascinating how we struggle with this. We see this with things like sustainability or workplace diversity, too. An organization has some incident or perhaps witnesses a competitor have an incident, and they create some senior position, bring in someone, and then give them virtually no staff or resources despite the big todo.
The organizations that do security well (not to mention those other things) don't necessarily have some C-suite job title. What they do have is management and a board that takes these things seriously and integrates them throughout the organization. To me, "Twitter cybersecurity" makes as much sense "McDonald's healthy menu." Their business model is built upon the exploitation of their user base. For them, the concern about a data breach isn't if users will be manipulated or their data used somehow. It's that when it happens due to a data breach - rather than in the course of Twitter's business model - Twitter doesn't get paid for it!