Software Associates specializes in software security and privacy compliance for medical device vendors in Israel. One of the great things about working with Israeli medical device vendors is the level of innovation, drive and abundance of smart people.
It’s why I get up in the morning.
Most people who don’t work in security, assume that the field is very technical, yet really – it’s all about people. Data security breaches happen because people or greedy or careless. 100% of all software vulnerabilities are bugs, and most of those are design bugs which could have been avoided or mitigated by 2 or 3 people talking about the issues during the development process.
I’ve been talking to several of my colleagues for years about writing a book on “Security anti-design patterns” – and the time has come to start. So here we go:
Security anti-design pattern #1 – The lazy employee
Lazy employees are often misdiagnosed by security and compliance consultants as being stupid.
Before you flip the bozo bit on customer’s employee as being stupid, consider that education and IQ are not reliable indicators of dangerous employees who are a threat to the company assets.
Lazy employees may be quite smart but they’d rather rely on organizational constructs instead of actually thinking and executing and occasionally getting caught making a mistake.
I realized this while engaging with a client who has a very smart VP – he’s so smart he has succeeded in maintaining a perfect record of never actually executing anything of significant worth at his company.
As a matter of fact – the issue is not smarts but believing that organizational constructs are security countermeasures in disguise.
So – how do you detect the people (even the smart ones) who are threats to PHI, intellectual property and system availability:
- Their hair is better organized then their thinking
- They walk around the office with a coffee cup in their hand and when they don’t, their office door is closed.
- They never talk to peers who challenge their thinking. Instead they send emails with a NATO distribution list.
- They are strong on turf ownership. A good sign of turf ownership issues is when subordinates in the company have gotten into the habit of not challenging the VP coffee-cup holding persons thinking.
- They are big thinkers. They use a lot of buzz words.
- When an engineer challenges their regulatory/procedural/organizational constructs – the automatic answer is an angry retort “That’s not your problem”.
- They use a lot of buzz-words like “I need a generic data structure for my device log”.
- When you remind them that they already have a generic data structure for their device log and they have a wealth of tools for data mining their logs – amazing free tools like Elasticsearch and R….they go back and whine a bit more about generic data structures for device logs.
- They seriously think that ISO 13485 is a security countermeasure.
- They’d rather schedule a corrective action session 3 weeks after the serious security event instead of fixing it the issue the next day and documenting the root causes and changes.
If this post pisses you off (or if you like it), contact danny Lieberman me. I’m always interested in challenging projects with people who challenge my thinking.