Fear Not the Assessor

Motivation…..Many things act as motivators for how one does their job.  Job satisfaction, meeting contractual requirements, or achieving compensation goals are a few reasons why people do their jobs to the best of their ability.  Over the past 3 weeks I’ve had conversations where the term C.Y.A. (Cover Your A$$) has been uttered.  I have heard this from both clients and from within my own organization which when considered in their context created a light bulb moment for me both as a security assessor working with my clients and as an employee working for an organization that offers security assessment services.   When CYA is a critical part of doing your job, the amount of overhead one creates for oneself can be disruptive.

During my career doing both infosec and PCI security assessments, I’ve seen many examples of CYA.  Usually when interviewing business units I tend to discover that credit card numbers are being written down, emailed internally, and then stored indefinitely.  This typically is both a surprise to my point of contact as it is to me.  When asked why, the response is always a whispered, “CYA”.  For reasons that may be obvious to other assessors, this response has the hairs on the back of my neck standing.  After further discussions, further paper trails, and scope creep, I have realized that CYA is no longer an admirable quality, if it ever was one.  Because several business units within organizations tend to follow a CYA course of action, the amount of “sensitive” information that is being shared internally as well as being sent off site expands the scope of the assessment dramatically.  And with increased scope comes increased effort to control and bring into compliance these various business units.

Now one might write this off as an organizational and procedural problem, but when I hear the term CYA explained to me internally when dealing with clients, again I was struck with a foreboding feeling.  In the name of CYA, the amount of time I am required to spend on each client and corresponding paperwork seems absurd.  True I am billable for that extra time, but I now have to fit this into a schedule that was already packed with my “regular” duties.

As an assessor CYA is showing itself to make it increasingly more difficult for organizations to adequately protect sensitive information.  At the same time, internal CYA is making assessors more skittish in not only how they handle their clients but in what they are requiring of their clients during assessments.  CYA has even recently entered my realm of thinking and has spooked me.  Spooked me because of the recent unpleasantness I’ve but some clients through…No, I am not perfect…shocking!! With that said, I’m not naïve in thinking CYA is not in the back of everyone’s mind when doing their job, but CYA should never be the driving factor in the day to day operations for either me or my clients.