Let me pose a question -
How long do you suppose it will be before one of these companies that's had a catastrophic, board-level security awakening forgets it ever happened and goes back to it's old practices of ignoring security?
I pose the question because from the recent events, may organizations (profitable, global organizations) have had board room level visibility into what a security breach can cause them in terms of reputational, financial, and operational risk.
That being said, we've seen EPS fall (short-term, anyway), people get fired, and in some cases mass amounts of revenue go unrecognized. So what? What has changed?
Immediate Impact of a Catastrophic Breach
I think, unless I've been reading the news wrong, that the short-term, immediate impact of a 'catastrophic' breach (one that makes front-page news on a busy day) is all the board room notices.
At that instant the security manager, or whomever is responsible for the organization's security, has a tiny window of opportunity to make the most important decision of their careers. That decision, if I may be frank for a moment, will either be to do something heroic and stupid, or step back and think and make a smart decision.
The problem with the "heroic and stupid" option is that it's the easier one to make. It's simple to look at a breach that has cost a company north of $150 million US dollars, and go before the board and ask for a huge bucket of money to 'fix the problems'.
See, this is the problem of being "stupid and heroic"... it's the easy and obvious move to make... but it's the wrong one. A hasty decision to throw money at the problem without first fully assessing the problem and organizational impact can actually make things worse.
In a hasty decision it's easy to take that bucket of money you're being offered, and spend it on something that can either mask the original problem, or solve a symptom of the problem - and leave the actual underlying problem to fester.
The bigger issue here is that on top of the fact that the problem still remains, you're now out a bunch of money and expected to deliver "security".
The much more difficult thing to do is to take a step back, offer to perform a full-on risk assessment and only then offer a solution. With all the pressures and eyes on the security manager... it's scary to do the right thing.
The pressure from media, from the board or shareholders may be overwhelming... but keep in mind that if you're a good security manager you know better than they all do... let that be your guide.
Doing the Right Thing
At the risk of sounding like a late-80's Spike Lee movie... just remember to "do the right thing". I fully realize this won't necessarily make you short-term popular, or a 'hero' immediately, but sanity will prevail.
I wrote a piece on this earlier called "QuickSand" and you can read about the dangers of a diaster-driven security program too if you've missed it... but the idea that a panic and catastrophe should drive your reaction is just as crazy. Don't let it happen to you. I won't beat this topic to death any more...
So Back to My Question
How long do you suspect that the memory of these catastrophic data breaches we've seen in the last few months will live? Six months? A year? Three years? I'm willing to bet that some incidents will be forgotten faster than others, and it will generally be proportional to the amount of money lost. Interestingly enough, this may also depend on what you (or the 'security person in charge') does to solve the problem.
You see, you and I know full well that the board room has long-term memory, but only on things that catastrophically impact them. If your security incident loses the company $5/share on a $20/share price and a year later they haven't quickly recovered... you can bet that incident will be on their minds longer than if your company pays the fine and bounces back. I know, it's disheartening...
In the big picture, I'm willing to bet that the length of impact won't exceed 18 months. Moral of the story is... do the right thing, but make it snappy. I think I'd like to believe that everyone will start to care about security... but then I wake up from my dream and realize it's not really realistic.
In the #SecBiz conversations we've had it's acknowledged that unless we make security relevant to the business... all is lost anyway - but I really firmly believe that how you respond to a major incident is what will dictate how your company perceives and carries forth the ideals of security in the business.
Don't screw it up, you probably have less time than you think, and this isn't golf, no mulligans.
Cross-posted from Following the White Rabbit