Before became self-employed, my last role was that of being an Agency Chief Information Security Officer or ACISO.
The job title itself sounds grand and impressive, but the work was mostly cleaning up after the fairly basic mistakes by staff and vendors of simple IT security and cybersecurity breaches. It also involved answering to a few external stakeholders outside the organization command structure who had the power to tell you what to do but had not power to reward you for doing a good job.
The worst enemy of most organizations and entities with respect to IT security or cybersecurity breaches were not sophisticated Advanced Persistent Threats (APTs) or “hackers” by rather simple and unsophisticated mistakes on fundamental IT security principles.
Let me share one of the “own goals” scored by staff of the entity that was a drain on the time and resources of my previous IT Security Team.
One day, I received an email to the generic IT security email that our team monitored. The complaint was forwarded from one of the staff of the entity who had himself/herself received a compliant by the parent of one of the former students of this educational institution.
The complaint was that there was a “data breach” because someone had written a threatening letter to her child. This alleged threatening letter was not signed but was contained in the official envelope of the educational institution.
In order to perform the preliminary investigation, we made some enquiries to the department which had likely sent out the letter as the official organizational envelope which had the name of the department printed on it prima facie appeared to indicate the originator came from that department. However, given that such envelopes were not particularly sensitive and hence not under lock and key meant that almost every staff of the department could have gotten hold of that envelope.
Fortunately, as part of our initial enquiries to that department, someone in the admin function of that department happened to know who sent out that batch of letters. It later turned out that one of the academic staff had asked their class to write a letter addressed to their future selves three years later. The academic staff then collected the letters and informed his class that he would post them three years later so that they would receive these letters written to the students themselves three years earlier.
Whilst the intention for the exercise was commendable, the execution was not. The academic staff did not ask the students to include any of the background or context of the letter, so when the students who received them three years later would be aware of why and what these letters were about.
In this case, the student of the letter turned out to have not followed the assignment properly and wrote himself a threatening letter to say that he would not amount to anything with a few choice expletives. As the letters were not vetted by the academic staff before being sealed in the envelopes whilst awaiting posting three years later, the student who received his own threatening letter did not recognize his own handwriting and when his parent was made aware of that letter jumped to the conclusion that the institution had the student’s home address and name leaked out and blamed the institution.
After we managed to find out that it was all due to this “letter to future self” exercise by the academic staff, we informed him to next time provide some context to avoid such unnecessary issues that resulted in the waste of many man-hours of the IT security team in trying to ascertain if it was a data leak of former students’ name and addresses.
This is just one of several instances of “own goals” scored by the institution’s own staff against itself. I will share others over time when I recollect them.
My experience as an ex-CISO showed me that whilst external threats are real and possible, internal threats are more likely because the ability of human beings to do self-destructive things is beyond imagination.
For those who are CISOs or in IT Security I hope such situations do not happen to you as they had happened to me in the past. But such incidents make for good Linkedin Posts and future Toastmasters speeches.
Leave a Reply