Home > Information Security > We Need a New FUD

We Need a New FUD

June 22nd, 2015

One of the most common questions I hear debated in infosec (usually rhetorical) is – “what will it take for management to realize how important security is?” I think we’ve all kind of been waiting for that one breach that’s SO bad, or expect that the total volume of breaches and updates from Krebs will reach a tipping point that forces execs and board members to acknowledge that security is critical and pay more attention to it. Folks, I’m not sure it’s going to happen. In fact, I’m willing to argue that “breach weariness” is most certainly never going to be the catalyst for increased investment in security, and really bad/big breaches likely won’t either.

I did a bit of research on some of the top breaches of the last decade, primarily based on the number of records accessed or exposed. A great site to visually see this quickly is “Information is Beautiful”, here. I then went and charted the stock performance of the public companies on the list, and the results may actually surprise you. In short, companies that have experienced breaches are not just overcoming the incident, but thriving. Here are some examples:

Heartland Payments:
Heartland

 

 

 

 

 

 

TJX Companies:

TJX

 

 

 

 

 

 

 

Adobe Systems:

Adobe

 

 

 

 

 

 

 

Global Payments:

Global

 

 

 

 

 

 

 

Target:

Target

 

 

 

 

 

 

 

Could this be entirely coincidental? Sure. In fact, what I am NOT asserting is a definitive correlation between breaches and corporate success – although if you had created a stock fund with breached companies, you’d likely have outperformed the market considerably. What I AM suggesting is that we have a bigger problem, and that’s one of credibility at the business level. No one wants to be breached (DUH). There ARE impacts – fines, breach cleanup costs, short-term reputation impacts, and so on. Neither security professionals nor executives want to experience any of this. However, business execs will look at companies who have experienced breaches, weathered the storm, and even RALLIED….and they will not be inclined to turn the whole ship to spending lots of time and money on security initiatives.

I think it’s important that we realized that in our little echo chamber, this is the most important issue all the time. To executives and business professionals, this is just another issue to contend with. We need a better business case for security than “we could be breached”. Based on some of the data I am seeing (which incidentally, many others have delved into better than I have), it’s going to be a hard sell to use breach FUD as a catalyst for change in our security posture.

 

Categories: Information Security Tags:
  1. Mohammed Hleihel
    July 2nd, 2015 at 14:23 | #1

    I think your graphs speak more of our crazy stock market and less of the impact of a breach on the victim company. So much cash has been thrown at the stock market that nothing really makes sense. The moment a company makes the news, their stock explodes.

    *Notice how TJX stock ballooned 4 years after the breach*

    Once a nice market correction takes place, I reckon breaches will be costly to all levels of the victim company.

Comments are closed.