As most of the folks who work at Veracode know, I’m brand new to the IT security space. I’ve been in start-ups most of my career and I’ve touched many industry verticals, but this is my first foray into security. I’m not sure if it was a complete coincidence, but from the moment my initial discussions began with Veracode I started to hear about breaches almost every day. Our new CEO, Bob Brennan, and I discussed this phenomenon the other day. He’s only been at the company for ten weeks, and he too attested to suffering from this “security tunnel vision”. But we both questioned whether it was simply tunnel vision or if something really big is happening with IT Security. Let’s just look at this past week.
On Monday we all heard the news that Anonymous released details of an FBI call to Scotland Yard and the main topic of that call – Anonymous! And you didn’t have to be an IT security practitioner to notice this; it made the Washington Post and was featured on the CBS Evening News! That same day here in the Boston area we got word that the Boston PD had successfully restored their website after it had been hacked the previous week. On Tuesday came the Symantec announcement that hackers posted source code after a failed extortion attempt. This one might have been noticed by mostly security professionals as the news was broken by a security-focused online publication, Dark Reading, but it wasn’t too long before it hit the Wall Street Journal, CBS News and the LA Times. So even if I wasn’t at a security company right now, chances are I would have heard about this too. Wednesday comes with the headline Syrian President Bashar Assad's Email Hacked. This one barely made the rounds with the security pubs, so I was more likely to notice this if I followed world politics or was doing a search for Barbara Walters as it was an e-mail to Assad to prepare him for an interview with the famed ABC newscaster that garnered much of the coverage. In the Boston-area (where Veracode is located) we all woke up to this on Thursday morning: One of our major daily newspapers, The Boston Herald, was shouting a dire warning of more attacks to come. For any Herald subscriber or commuter who passes at least a half dozen newspaper racks in the morning this one was very hard to miss – so I don’t think I noticed this because I’m now “in security”. Today might have been the only day this week where I didn’t see or hear something new. While many media outlets recycled the security stories above, there didn’t appear to be a major story. If I was a Bank of America customer I might have gotten a letter to notifying me that my credit card may have been compromised, but I’m not a customer. However, I do know a few and at least one of them got this letter along with a new credit card and card number – a complete pain if you have it stored on any number of sites to take advantage of the ‘quick check-out’ option. But who knows, today isn’t over yet. As security professionals do we all just suffer from “security tunnel vision” or is something major shifting in our industry? Is it all just related to the significant rise in hactivism or the 24-hour news cycle requiring that every little thing become a news story? Is the new SEC Disclosure Guidance forcing companies to release more breach information than they ever have in the past? What’s up with this? We’d love your thoughts.