I usually don't use this blog to comment on security "current events;" there are enough pundits and prognosticators out there already that one more voice isn't needed. Still, the recent events at Tanium do merit a word or two.
For those of you unfamiliar with the company, Tanium is a well-established provider of "next-generation" security software. Founded in 2007, their product suite advertises visibility and control over network endpoints in seconds. Still privately held, the company has a current market valuation in excess of $3 billion and is a trusted "go-to" vendor for many security professionals.
In recent recent weeks, though, the luster has begun to come off of this security diamond. Last week, a Bloomberg expose on Tanium accused the founders of company (father and son team David & Orion Hindawi) of dismissing employees prior to the vesting of the stock options. This would allow the owners to retain more control of the company prior to an initial public offering, and rob those who had invested "sweat equity" into Tanium's success of a potential windfall. Just today it was revealed that Tanium was accessing a live customer network for it's product demos without the permission of the customer. Adding insult to injury: the customer in question was a hospital. This means that, thought the course of hundreds of demos, Tanium -- a security company -- exposed live, sensitive information about the hospital's IT systems.
I won't make predictions regarding the future of Tanium or the Hindawis; I'm nowhere near smart enough to do that. I will state, though, that Tanium's predicament offers a lesson to all Warriors of the Light regarding the importance of trust in the performance of our duties. Our function and its associated responsibilities require us to have the "keys" to our organizations' most treasured information and secrets; our profession requires that we have (and maintain) the knowledge and skills to exploit that access. Yet our professionalism reminds us constantly of the multiple layers of trust that our organizations place in us as individuals and as an organization. They not only trust us to protect them and keep them from harm, but they trust us not to abuse the access that they have given us.
Trust must be earned and constantly re-earned as a security professional. When we lose the trust of the organizations we support we cannot be effective. Tanium's recent actions, if proven true, should give all of us pause and remind us of the importance of not abusing the trust we have been given.
My two cents...