Heartbleed: What Have We Learned?

Heartbleed: What Have We Learned?

Here at the Acumin Blog we always try to tread carefully. We realise this means we’re not like a lot of other blogs, and it also means we won’t be your first port of call for breaking infosec news (though we trust you’re keeping a close eye on the news feed over at the main Acumin site, of course). We’re OK with that: we’d rather make sure we were offering information and opinion that as informed and carefully weighed, even if it means we miss out on click-throughs in the white heat of the moment when a topic is trending on social media. Call us old-fashioned, but we just feel more comfortable this way.

But time waits for no blogger, and we really are a bit overdue a post about Heartbleed. By now you’ve all read enough about the problem, have scanned the horizon for the four horsemen of the cyber-security apocalypse, and breathed a sigh of relief that the digital sky hasn’t fallen down (yet). You might even have changed some passwords, then realised you didn’t have to after all – probably not, you’re all IA pros around these parts and you’re not likely to have been panicked by the early mainstream media reports that advised everyone on the internet to do just that. And you’ll maybe have enjoyed a quiet, private chuckle at the backtracking that followed a day or two later when it emerged that anyone who’d rushed to act before the OpenSSL hole was fixed had merely thrown new passwords after bad old ones, and would have to do it all again, once the vulnerability was patched.

It’s easy to be wise after the event, of course, and that turns out to be one of the lessons the Heartbleed episode might yet engrain ever more deeply on the information-assurance industry’s psyche. “No security person responsible for their organisation could have seen Heartbleed coming,” Duncan Brown, cyber security and research programme director at Pierre Audoin Consultants, told us when we were talking to him for our RANT Forum preview post last week. “It’s very, very hard to predict or to protect against that sort of problem. You can be the best-protected organisation, but if a key element of the internet infrastructure fails then we’re all exposed. You can build a strong house, but if the foundations start crumbling underneath then there’s no security system or burglar alarm that’s going to help you.”

The Heartbleed episode also appears to raise questions about the use of open-source code in otherwise bespoke or custom security systems. It’s unlikely the average security software engineer is going to start writing their own code instead of relying on open-source applications they’ve been using safely and securely for years, but those in the enterprise who have to manage the organisation’s exposure to risk are certainly going to have to spend a bit more time making sure that they understand the potential for Hearbleed-like problems in the future.

“I bet that many, many organisations had no idea that they were using Open SSL, or any open-source piece of equipment,” Brown argues. “Many organisations run websites and they have got no idea that they’re based on a Linux platform, for example. Perhaps at the top end, they will have an asset register, they’ll have well-run and well-managed audit trails for what they’re using: but many, many organisations have not a clue about the infrastructure that their business is running on. And they’re absolutely exposed to this kind of thing. If they were breached as a result, and if they were forced to declare a breach – as new regulations would mandate – then they could suffer pretty severe reputational damage, even though actually they had done everything that they could feasibly have done. It draws a whole new set of questions to the debate.”

Another element of the story Brown feels has been missed is that if Heartbleed shows us anything, it’s how limited and problematic passwords have become.

“I don’t know how many passwords you have,” he says, “but I’ve got dozens – a number of which I use on an annual basis, if that. So changing them all wasn’t a practical reality for me, or for many other people. What this draws attention to is the vulnerability of the password as a model for protecting data and user identity. On my professional biography I have the words: ‘I hate passwords’. I’m not trying to be grumpy about it – it’s just a shorthand way of saying, ‘This is a broken model, and it’s been broken for many years.’ So if Heartbleed draws attention to that kind of issue then, you know, terrific!”

Ultimately, the episode will only serve to highlight arguably the biggest problem business faces in today’s wired world: the desperate shortage of skilled digital-security staff. As Acumin’s Salary Index showed recently, the year-on-year increases in rates paid to IA professionals – whether as full-time staff in end-user companies, as freelance consultants, or within specialist security service suppliers – continue to roll over. Security professionals can command ever higher salaries because the demand for their expertise is increasing at a faster rate than new entrants to the jobs market are arriving out of training courses and universities.

“The main challenge at the moment is the lack of availability of expertise,” Brown agrees. “It’s no surprise that the fastest-growing area in cyber security, in terms of market size, is the services area: and this is because organisations are trying to ramp up their capabilities and understanding of cyber security without access to the right people. They’re having to buy those people in from services organisations, and that is a direct consequence of the skills shortage. So on the one hand, yes, organisations want to understand their security estate much better, and understand the implications of that. But on the other, they are finding it really difficult to tap into that expertise.”

Expect Heartbleed – and the issues it raises – to come up in discussion at tonight’s RANT Forum event. As regular readers will be aware, this month’s special takes place not at our usual location in the City of London, but in Earl’s Court, handy for delegates leaving the second day of Infosecurity Europe. Full details are available here.

Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • RANT Events
  • Bloom Nepro
  • YPO
  • Crown Commerical Service
  • Disability Confident
  • ISO 9001
  • Armed Force Covenant
  • Cyber Essentials Plus
  • ISO 27001





Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opportunities

Do you already have an account with us?

Log in

Want to have an account with us?


Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you


Thank you for successfully uploading your CV.

Acumin Alerts


Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.



Thank you for submitting your vacancy.


Create an account to register your contact details, sign up for job alerts and upload your CV


Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.
- Practitioner
- Commercial

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management

Submit a Vacancy

Use the form below to submit a vacancy