
New York Times Eliminates Director of Information Security Position - idlewords
https://twitter.com/runasand/status/1186775481615605760
======
donohoe
As a former NYT dev I was upset at this but after digging deeper seems like
this isn’t the NYT shelving info-sec but just consolidation (hired
Erinmichelle Perri as CISO in August). It’s always sad when talented people
leave.

[https://www.nytco.com/press/erinmichelle-perri-joins-the-
tim...](https://www.nytco.com/press/erinmichelle-perri-joins-the-times-as-
chief-information-security-officer/)

------
tptacek
This is alarming, because the job of "newsroom security" isn't the same as the
corporate security job. Smart organizational security teams rely on a meta-
strategy of collapsing user behavior down to a smaller set of activities that
they can track and deploy countermeasures for; this works well for employees
("get everyone on the same ad-blocking Chrome extension that we can vet"), but
doesn't account for the journalist threat model. Journalists work in the field
and deal with sources, who can't (and wouldn't, regardless) comply with
corporate security directives.

What you're hoping a newsroom security practice is doing is building source
protection systems, like secure dead drops, while also serving an advisory and
harm reduction function for the journalists themselves, so that they can
safely open attachments and follow URLs and communicate over social networks.
In that environment, you can't just say "no, don't do that, do this other
secure thing instead", like you can with company staff.

It's a specialized skillset, and one that security teams are not generally
good at.

~~~
DEADBEEFC0FFEE
I didn't read the article, but perhaps they don't need a Director for this
function.

------
msteffen
I got curious about why the NYT would do this and did a little googling, and I
think her boss still works there
([https://www.linkedin.com/in/billmckinley](https://www.linkedin.com/in/billmckinley)),
so, per other comments, it doesn't look like the NYT is giving up on security
or anything crazy like that

It does seem like they might be cutting staff, though, which doesn't feel all
that much better

------
kylecazar
I don't know it's fair to criticize this without knowing the internal
circumstances and motivations for such a move.

As others with knowledge of the matter suggest, this may be purely
organizational. A title being 'eliminated' doesn't necessarily mean it's
function disappears.

Not very relevant, but I interviewed with their product team recently. They
seemed very competent and thoughtful.

~~~
tptacek
The tweet itself directly addresses your concern.

~~~
kylecazar
No need for a dedicated focus is nowhere near enough information to take away
"this is not important to our company anymore". It is management speak for you
are not doing that here anymore.

You would have to know the exact responsibilities this person had, how much
time/energy they took, whether or not there was duplication of effort
elsewhere, etc.

It is important to know the facts, from both sides. In my mind, at least.

For example, they are hiring a PM on this same team right now. It's very
possible they just saw this position as an unnecessary level in the hierarchy.

------
andrewstuart
"Why do we need a Security Director? Our security is fine, there's no problem,
so why spend the money?"

There's this weird dynamic in Information technology where professionals doing
their jobs really well result in there being no problems. When there is no
problems there's not much attention and the lack of problems is devalued by
management.

Management value teams and managers who heroically solve big problems and
issues.

This is why companies can sometimes decide that their best people are not
needed cause "all is so quiet" and fire them.

~~~
Gene_Parmesan
This is where having someone on the executive team with technical experience
can be such a boon. I know I'm lucky with this, but our exec (chief admin.
officer) spent years in the IS ('s' is for services) department at our company
-- starting as a VB dev back in the 80s. Luckily leadership is fairly forward-
thinking for a nonprofit and we've been doing Angular and C# for years now.
She consistently goes to bat for our director and has managed to get our CEO
to understand the great difficulty involved in keeping an IS operation running
smoothly.

I mean, think about it. Hospitals wouldn't fire the surgeons for consistently
executing error-free operations.

~~~
dawnerd
When I worked at Discovery Channel I remember a call where the CEO admitted
they have no idea what they're doing with regards to tech. Made my decision to
leave seem smart looking back now that they've shut down Rev 3 (where I worked
for a while) and the other division doing R&D. Was pretty frustrating to build
stuff that would never see the light of day.

TLDR; execs that know something about tech is super important.

------
RcouF1uZ4gsC
Future headline: NY Times reporter gets phished. Confidential sources'
identities and quotes made public.

Worldwide we are seeing an attack on journalism and the free press. Cutting
security resources as a short term profit-boosting exercise can have
disastrous consequences. Many people all over the world risk arrest or even
death for sharing information with journalists. If they can't be sure that the
journalists have an excellent security apparatus backing them, it will be too
risky for them to come forward.

~~~
motohagiography
I don't know if american journalists seriously need opsec anymore, as nobody
in the legit press is writing anything that could threaten the institutions
they'd need to protect themselves from. Anyone doing anything dangerous today
isn't going to depend on the protection of their newspaper. The only people
with skin in the game are actual activists, short selling hedge funds, and
maybe some edgy podcasters.

There is this odd dynamic where if you need the additional legitimacy of an
old media organization to get your story out, there must be something fishy
about it. Like it's a palace gossip leak, and nothing with real consequence or
risk.

If your story is really worth your safety, there is the much greater risk that
editors will spike it, the way they did with pretty much every major whistle
blower story of the last decade. Hollywood was protected for years,
intelligence leaks were regularly spiked, and often journalists themselves
were complicit actors in the official retaliations. I'm sure the NYT will
still have a security role of some sort, but the idea that it could actually
equip reporters at a corporate level with the tools to do the kind of opsec
you need to facilitate stories at the level of the Intercept, Wikileaks, and
other insurgent media seems unlikely.

~~~
marcoseliziario
One of the most annoying things in hacker news is people downvoting any
opinion that doesn't match their world view.

I don't necessarily agree with the poster above, but it is obviously not an
instance of trolling, also it is not offensive or damaging to anyone.

~~~
danso
Declaring that journalists today aren’t writing anything of importance is a
pretty trolling assertion.

~~~
marcoseliziario
Ironically, someone downvoted you. Which is a shame. Even not agreeing with
what you said about it, I really appreciated the opportunity to present my
counter-points to you.

~~~
danso
I appreciate your lengthy response.

------
shaki-dora
It's really impossible to pass judgement on this decision without hearing the
reasons.

Reading between the lines (and using common sense) suggests that the NYT does
have a security team, only that its focus is larger than just the newsroom.
One scenario therefore would be a consolidation of security roles. The "Head
of Newsroom Security" position would no longer exist, even if there is/are
dedicated people with that portfolio.

~~~
jonahbenton
From a PR perspective, it is possible to pass judgement. The clear judgment
here is that this move, in the way it was handled, created a PR problem for
the NYT at a really poor time for it to have this sort of PR problem.

It may be that the new NYT CISO feels that newsroom, journalist, and source
defense is a) critical and b) better handled by eliminating this role.

Every security person would agree with a). Given the visibility Runa had and
the positive PR she created around this unique need, b) is not the outcome one
would predict.

There is always more to the story than the headline, but as the NYT knows the
headline is important in its own right.

Here, the NYT wrote the wrong headline.

------
TecoAndJix
Tidbit - they have a post on /r/netsec for application security engineers (so
they are at least growing the team)

[https://www.reddit.com/r/netsec/comments/dc9zia/rnetsecs_q4_...](https://www.reddit.com/r/netsec/comments/dc9zia/rnetsecs_q4_2019_information_security_hiring/)

------
justin66
July 2018 NY Times article about the person who just lost her job:

[https://www.nytimes.com/2018/07/24/insider/meet-runa-
sandvik...](https://www.nytimes.com/2018/07/24/insider/meet-runa-sandvik-
security.html)

------
ethagnawl
I've worked for one of the NYT's subsidiaries and personally witnessed how
their security posture changed (for the better!) after they were acquired by
NYT. I was told that these downstream changes were due to policies laid out by
Runa and Runa's team.

NYT will come to regret this decision. Hopefully, for their
employees/readers/journalists/sources/etc. sake, it's only because of the bad
publicity.

------
FiloSottile
To anyone thinking "that's such a bad move that it makes no sense", it's not
you: my entire Twitter timeline of security professionals and journalists
reacted the same way in unison.

[https://twitter.com/SarahJamieLewis/status/11867779666063400...](https://twitter.com/SarahJamieLewis/status/1186777966606340096)

[https://twitter.com/fugueish/status/1186779963975843842](https://twitter.com/fugueish/status/1186779963975843842)

[https://twitter.com/Pinboard/status/1186781483031089152](https://twitter.com/Pinboard/status/1186781483031089152)

[https://twitter.com/mik235/status/1186781955183874049](https://twitter.com/mik235/status/1186781955183874049)

[https://twitter.com/dangoodin001/status/1186780837750046721](https://twitter.com/dangoodin001/status/1186780837750046721)

[https://twitter.com/osxreverser/status/1186779010073858048](https://twitter.com/osxreverser/status/1186779010073858048)

[https://twitter.com/mshelton/status/1186784191427465216](https://twitter.com/mshelton/status/1186784191427465216)

[https://twitter.com/josephfcox/status/1186778165798166531](https://twitter.com/josephfcox/status/1186778165798166531)

[https://twitter.com/0xabad1dea/status/1186785548746346496](https://twitter.com/0xabad1dea/status/1186785548746346496)

[https://twitter.com/a_greenberg/status/1186786727530323970](https://twitter.com/a_greenberg/status/1186786727530323970)

[https://twitter.com/evacide/status/1186786743774658562](https://twitter.com/evacide/status/1186786743774658562)

[https://twitter.com/str4d/status/1186787004635205632](https://twitter.com/str4d/status/1186787004635205632)

[https://twitter.com/count3rmeasure/status/118677928069453004...](https://twitter.com/count3rmeasure/status/1186779280694530049)

I think this tweet by Runa just yesterday is a perfect example of why her role
was fundamental to the NYT's mission.

[https://twitter.com/runasand/status/1186206876381384704](https://twitter.com/runasand/status/1186206876381384704)

~~~
awinder
How many people are still under the CISO at NYT? I’m getting spidy-senses
tingling that there was bloat in that part of the org, not some insane “we
don’t need security” type of angle.

EDIT: it looks like NYT hired a CISO around August
[https://www.google.com/amp/s/www.csoonline.com/article/32040...](https://www.google.com/amp/s/www.csoonline.com/article/3204008/security-
executives-on-the-move-and-in-the-news.amp.html)

~~~
dontbenebby
How do we know the stated reason is the real reason?

The one thing I don't see being raised anywhere is that it's incredibly common
in civil society for folks who are "shrill" (supportive of equality for all
races, gender identities, etc) tend to be pushed out for "lack of cultural
fit".

~~~
DoreenMichele
One of the problems is that a lot of people who are nominally "supportive of
equality for all races, gender identities, etc" are actually openly hostile to
cishet white men with money.

I think it's possible to separate those two things and I have this hypothesis
that you will get further if you are careful to do so and are less likely to
be called "shrill" and pushed out.

------
kerng
Wouldn't wanna jump to conclusions from a single tweet, without hearing the
other side of the story. Like i have no idea how NYT internal security
organization is structured and what the bigger picture is.

Employees that send out critical tweets on the day they are let go are typical
in an emotionally driven mode. So, I'm sure we will hear more soon.

------
kbos87
This whole thread is a bunch of people reading into a situation we know
nothing about. The truth of corporate structures is that they vary widely, and
we can’t really read much about NYT’s commitment to infosec through this move,
especially since it came from a party who was personally impacted.

------
badrabbit
Very weird, there are much less prominent and less targeted corps with ciso's
lol. Their loss,lady is a freaking legend.

Bit of a perspective: Companies sometimes keep security staff but have them
report under a director of some IT department. Companies are also horrible
just horrible about how they perceive the value of an infosec position, the
ROI is you don't get pwned. Period. No money savings,no contribution to the
bottom line. Not dissimilar to a good insurance policy. I partly fear because
it's up to the whims of some exec or some catch phrase they hear somewhere
that changes their perception of what value we bring to the table where as
engineers build,admins run systems and fix breaks.

~~~
mrunkel
[https://www.nytco.com/press/erinmichelle-perri-joins-the-
tim...](https://www.nytco.com/press/erinmichelle-perri-joins-the-times-as-
chief-information-security-officer/)

Yeah, NY Times agrees with you. They have a CISO.

------
hackerrenews
One has to wonder if there’s political reason for this decision by the NYT,
given Ms. Sandvik’s early involvement with Edward Snowden. Surely this must
have made for an interesting dynamic at such a newspaper.

~~~
dontbenebby
Why would they dislike someone affiliated with Snowden if they published based
on Wikileaks data?

[https://en.wikipedia.org/wiki/United_States_diplomatic_cable...](https://en.wikipedia.org/wiki/United_States_diplomatic_cables_leak)

(CTRL-F "New York Times")

------
gauravphoenix
Oh no. Just a few days I reported a vulnerability in their billing system
which has privacy implications.

I am still waiting to hear back from them.

------
TheMagicHorsey
One shouldn't jump to conclusions and assume the security function is being
eliminated.

Positions can be eliminated for a number of reasons. Reorgs, personnel issues,
and redundancies are just a few possibilities.

Putting your former employer on blast publicly is a good way to show future
employers you might lack judgment.

------
neuralzen
I just saw Runa speak at kawaiicon (kiwicon) in New Zealand, giving the
keynote speech, and it was quite evident she not only knew what she was doing
but applied it skillfully in the context of an internationally investigative
journal. They no doubt have nation-state actors working against them and to
infiltrate, and in the light of the both present and coming tsunami of
security issues, I cant begin to guess what her employers are thinking in
eliminating her role. She will fair far better than the NYT in this decision,
that's certain.

------
willart4food
Management by Spreadsheet: Look! +140K added to the bottom line!

------
campfireveteran
The mainstream media is like a Diebold voting machine... it's easier to not
measure what you're not going to fix.

PSA to future anonymous whistleblowers: don't engage the NYT or you are now
more likely to be unmasked.

------
jakeogh
Interesting orginization. The "just a Newspaper" cover is getting old though.

[https://gawker.com/here-are-some-top-n-y-times-editors-
and-s...](https://gawker.com/here-are-some-top-n-y-times-editors-and-staff-
joking-a-1713336525)

------
chishaku
Information security is as unnecessary as a public editor.

[https://www.politico.com/story/2017/05/31/new-york-times-
pub...](https://www.politico.com/story/2017/05/31/new-york-times-public-
editor-239000)

edit: /s

~~~
matt4077
The reasoning for eliminating the public editor was that today, social media
does a far better job at it than anyone in-house ever could, especially
considering the widespread view that it's impossible to independently
criticise one's own organisation.

~~~
will4274
Which is, of course, ridiculous. The public editor (or ombudsman at WaPo)
served a crucial role in giving official "news" status and internal
information about drawbacks in their own reporting - neither function which
can be filled by randoms on social media.

