[gwittel]

In reading Mudges' complaint, it really paints the Twitter leadership (esp. Agrawal) as simply not caring about security enough to do anything about it. Instead you had an org with massive amounts of technical and operational debt, and leadership not willing to invest in it. There are always tradeoffs between fixing technical debt and building new features. Twitter leadership chose to ignore (and to some extent, hide) the problem rather than invest. They certainly aren't unique in having a security plan that is built around hope.

Engineers having full control over their dev machines up to and including preventing system updates is not ideal; but not out of the norm for tech. Poor data access controls, and out of date server fleets (where I'd expect updates to be pretty automated) are far more worrying to me.

[googlryas]

I wonder if Mudge was fired for, basically, being too good at his job. He didn't toe the CEO's line, and was pointing out how the house was on fire, which is not what Agrawal wanted to hear(maybe Dorsey wanted to hear it when he hired Mudge, but Agrawal had different ideas). I suspect that most people who make it ultra high level as "Head of X", are hired more for their organizational/social talents, which oftentimes involves capitulating to those more powerful/higher on the food chain, rather than being actually talented at X. Mudge actually has the bona fides for the role, which is why he got fired (I'm guessing).

[ImPostingOnHN]

It's worth noting that being good at IT Security is in huge part a function of your soft skills, since you should be able to sell security to the org, since your job is to make the work happen, not to identify it and complain that it needs to be done

any amateur can run some automated scanners and issue security diktats to the rest of the organization

[googlryas]

I mean...Twitter hired him as head of security. They ostensibly already cared about security. Or, at least Dorsey did, maybe Agrawal didn't. I suspect he wanted a yes man to offer some minor changes and say "Yup, everything's secure here". Before this, Mudge was facilitating the NSC in ultra high level briefings to provide accurate reports to POTUS. I suspect you don't end up in that position without some strong soft skills. But, as strong as they are, you can't convince someone who doesn't want convincing.

[ImPostingOnHN]

the head of security is responsible for getting buy-in from the organization on security measures, that's what makes them the head

"you can't convince someone who doesn't want convincing" is also a weak cop-out that would be totally unacceptable as an attitude of the head of anything. As head of IT Security, part of your JOB is convincing people who aren't convinced (easily played off as 'they don't want convincing' by people who fail to convince them)

if a head of IT Security came to me as a CEO and lamented "the organization isn't doing what I tell them to do", I feel like an appropriate question is, "what do you plan to do about it?" or "what options do you have in mind to get them to?" Every CEO knows security is a pain, they hire executives in order to delegate pains away

[googlryas]

That sounds like the response of a CEO supportive to the endeavor.

What happens when head of security tells the CEO that necessary, important security changes will cut their revenue by 30%?

[ImPostingOnHN]

being supportive of an endeavor doesn't mean being okay with your executives laying key parts of their own job description (remember, it's the CISO's job yo get buy-in, not the CEO's) at your feet and telling you that it's hard to do because "some people don't want to be convinced"

in your example, the CEO might continue to listen while the head of security explains why it's worth more than that 30% loss to secure the systems

examples might include the cost of lawsuits, the cost of regulatory action, the risk of actual harm to people (customers or otherwise), the cost of reputational damage, etc... security has to economically justify its internal projects just like every other department does

[TheRealDunkirk]

> In reading Mudges' complaint, it really paints the Twitter leadership (esp. Agrawal) as simply not caring about security enough to do anything about it.

I've worked in 3 Fortune 250 blue chip companies. My experience is that senior management is doing just enough about security to check the boxes that the trade press -- and the consultants they say we should hire -- say we need to check to have enough legal coverage to weather a possible lawsuit.

Given that Yahoo! had their ENTIRE user database hacked, and VISA, and endless other examples of major personal data breaches, and that none of these things ever results in anything more than a slap on the wrist, I'd say that even these paltry box-checking efforts are probably a waste of money.

I don't know how this situation would be materially any different at a "FAANG" company versus a 100-year-old manufacturing company.

[saagarjha]

> Engineers having full control over their dev machines up to and including preventing system updates is not ideal

If you had an out-of-date version of the OS you’d be cut off from the VPN. Pretty standard stuff.

[gwittel]

Definitely. Twitter seems to have not been doing a lot of standard best practices for a company of their size.

My intent was pointing out that engineers with high level access to their dev machines is pretty common in tech. Not that other controls like policy enforcement are also often absent in tech (esp in larger companies). Hard to know how common that is -- seems unusual at least in big tech.