The Public Eye

 

Keeping tabs on federal government efforts to protect citizens' privacy

LinkedIn Has Neither CIO nor CISO Failing to Learn Lessons from the RSA, Sony Breaches

LinkedIn, the social network that's investigating the pilfering of what could be more than 6.5 million of its members' hashed passwords, has neither a chief information officer nor chief information security officer (see LinkedIn: Hashed Passwords Breached).

"We don't currently have executives with those specific titles, but David Henke, senior vice president, operations, oversees the functions," a LinkedIn spokesperson wrote in response to my inquiry.

LinkedIn isn't the first technology company to experience a breach that has lacked a specific senior executive responsible for assuring the security of its data and systems. Two of the most prominent breaches of 2011 - to security provider RSA and consumer electronics giant Sony - occurred when neither of those companies had a CISO. Both, however, employed a CIO at the time.

Shortly after the RSA and Sony breaches, both companies hired highly regarded IT security experts as their CISOs (see RSA Explains Duties of New CSO and Ex-DHS Official Becomes Sony's CISO).

It's hard to imagine that a company with such sophisticated offerings as LinkedIn has neither a CIO nor CISO, especially in the wake of the RSA and Sony breaches. After all, LinkedIn's primary product is information. Henke's resume is impressive; he seems well-versed in technology and operations. Yet, the expertise outlined in his official LinkedIn bio doesn't show the know-how of many CISOs who focus on IT security and risk management.

Does LinkedIn get it? In response to my inquiry about whether the social network has a CIO and CISO, a LinkedIn publicist referred me to a blog written after the breach by a marketing director who explains the steps LinkedIn is actively taking to protect members, including locking down and safeguarding accounts with the decoded passwords, invalidating them and adding additional layers of security to protect its current production database for passwords. Would LinkedIn have taken those steps earlier if it had a CISO, avoiding the breach?

A generation ago, most businesses began to understand they needed a top executive who could relate to the CEO and the rest of the organization the importance of IT for their organizations to function; thus, the role of CIO evolved from a mere manager of data processing.

Today, the same holds true with information security. Businesses, governments and other types of organizations can not function efficiently in today's society if they lack a key executive focused on IT security; otherwise, their stakeholders will be at risk. The hashed passwords' breach shows LinkedIn could use a CIO and CISO, executives who are focused on the strategic importance of information and its security. Scott and Henke seem to have too many other responsibilities to provide the conscientious IT and security leadership LinkedIn needs.

* * *

Note: LinkedIn has retracted an earlier statement that two senior vice presidents shared the oversight responsibilities for the social network's IT and IT security function. In an e-mail received in the afternoon EDT of June 8, LinkedIn said only David Henke has those responsibilities. This article reflects LinkedIn's updated statement.



About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.





Around the Network