One of the most common questions I hear debated in infosec (usually rhetorical) is – “what will it take for management to realize how important security is?” I think we’ve all kind of been waiting for that one breach that’s SO bad, or expect that the total volume of breaches and updates from Krebs will reach a tipping point that forces execs and board members to acknowledge that security is critical and pay more attention to it. Folks, I’m not sure it’s going to happen. In fact, I’m willing to argue that “breach weariness” is most certainly never going to be the catalyst for increased investment in security, and really bad/big breaches likely won’t either.
I did a bit of research on some of the top breaches of the last decade, primarily based on the number of records accessed or exposed. A great site to visually see this quickly is “Information is Beautiful”, here. I then went and charted the stock performance of the public companies on the list, and the results may actually surprise you. In short, companies that have experienced breaches are not just overcoming the incident, but thriving. Here are some examples:
Could this be entirely coincidental? Sure. In fact, what I am NOT asserting is a definitive correlation between breaches and corporate success – although if you had created a stock fund with breached companies, you’d likely have outperformed the market considerably. What I AM suggesting is that we have a bigger problem, and that’s one of credibility at the business level. No one wants to be breached (DUH). There ARE impacts – fines, breach cleanup costs, short-term reputation impacts, and so on. Neither security professionals nor executives want to experience any of this. However, business execs will look at companies who have experienced breaches, weathered the storm, and even RALLIED….and they will not be inclined to turn the whole ship to spending lots of time and money on security initiatives.
I think it’s important that we realized that in our little echo chamber, this is the most important issue all the time. To executives and business professionals, this is just another issue to contend with. We need a better business case for security than “we could be breached”. Based on some of the data I am seeing (which incidentally, many others have delved into better than I have), it’s going to be a hard sell to use breach FUD as a catalyst for change in our security posture.