A Culture of Secrecy

June 20, 2023

I am may not the right person to opine on the cybersecurity Culture of Secrecy. My career was launched by a stint as a military member of the National Security Agency. I had been managing data centers for the air force and was unceremoniously whisked away to Fort Meade on short notice after a strenuous two-day polygraph session at Pease AFB in New Hampshire. I was assigned at a time when I couldn’t even admit my employer publicly.

My military leaders instructed me to simply tell family and friends I was employed by the Department of Defense. It was explained to me that was all they needed to know. As I was working to relocate my young family to Maryland, I took my wife and two impeccably dressed little daughters to seek out a church. As first-time church visitors, we were always confronted by a pastor or deacon after the Sunday service and asked all the normal inquisitive questions. The second one was always, “Where do you work.”

My wife looked up and smiled at me as I calmly informed the clergy I worked for the Department of Defense. The Pastor in this case immediately signaled a nearby parishioner and called out, “Hey, Fred, here’s another guy who works for the NSA like you!”  So much for low-key. I later learned this Department of Defense fig leaf was the subject of much local mirth and community storytelling.

We ended up purchasing our first home nearby: a modest townhome in a suburban neighborhood. Many, if not most, of our new neighbors all worked at Fort Meade. One day early on, my wife was once accosted by the stay-at-home mother next door who was married to a tile salesman. She wanted to know what the heck we all that required her to answer her door repeatedly during the day to a parade of DoD security agents performing periodic background checks. She found herself being one of the few people at home when the agents were out looking for anyone to comment on the behaviors and habits of their neighbors.

I recalled all these memories as I spoke recently with a friend who was on a consulting engagement. She was asked to manage the many cybersecurity components as this large company transitioned its data services contractor to another. One of the driving forces for the transition was a breach that had impacted the whole organization only a few months earlier. Knowing there had to be an after-action report on the breach, she requested a copy to aid in her initial assessment of their security posture. She was flatly told no. She pressed a few more times but was roundly rebuffed and finally realized they wouldn’t share that report with any outsider - even one they had hired to look at their security.

She and I spoke of our shared Culture of Secrecy. She mused, “What’s the problem with sharing the report with a cybersecurity expert with a non-disclosure agreement? They hired me as a contractor because of my expertise. I have written many of these after-breach reports myself. Sure, it’s likely very embarrassing and contains a lot of sensitive material they’d just as soon sweep under the rug. But what good will the report do them if they can’t share the appropriate parts with their employees and contractors to change things for the better?”

“I am not certain of their reasons,” I replied, “but I am assuming they want to keep this close hold to protect people. You noticed the CISO retired right after the breach. There is likely nothing in that report we couldn’t guess with a goodly amount of accuracy. I appreciate the fact they are just trying to spare the people involved any follow-on repercussions. This would include even the Board of Directors, I imagine.”

“From what I have seen already,” she said, “I believe you are entirely correct. I have a lot of work to do now to prepare their cybersecurity program to move it from their former IT services provider to a new one. Most of that effort is simply moving what they currently have. There isn’t really enough ramp to upgrade any of their technology or processes.

But I doubt keeping to the Culture of Secrecy will help in the long run.”

I chuckled as I could still hear the pastor calling out, “Hey, Fred…”

About the author: John McCumber is a seasoned cybersecurity executive with over 25 years of progressive experience in information assurance and cybersecurity operations, acquisition, management, and product development. Expertise in corporate security policy development and implementation of security in information technology design. Recent experience working with Congress on cybersecurity legislation and professional advocacy. He is a long-time columnist with Security Technology Executive magazine and contributing writer at Ordinary Times. John is a retired US Air Force officer and former Cryptologic Fellow of the National Security Agency. During his military career, John also served in the Defense Information Systems Agency and on the Joint Staff as Information Warfare Officer during the Persian Gulf War.
About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].