"It will take a massive incident for our company to wake up to itself!" How often do you hear that in the information security industry? All the time — so what generally happens when things go horribly wrong after the "incident" occurs?
Here's how the scenario plays out:
1. A big internal WTFJHM (What The **** Just Happened Meeting) takes place. (Generally 95 per cent executives with no idea and 5 per cent staff — with some idea).
2. The meeting will go along the lines of:
3. Draft a press statement along the lines of: "We take our client information very seriously, and always have!". Where possible, find a scapegoat. Nowadays, use the ‘APT’ line of defence because that is the “save our backside” line that works consistently!
4. Call in IT to fix the problem so that the media can be told that it's all under control. Sit back and wait for the magic to happen.
5. When IT explains the greater problem and what investment is required to fix and to stay on top of it, check whether media is still running hot on the story.
6. Has the storm blown over? If not, repeat step 5. If it has, move to step 7.
7. Wipe incident from memory. (After all, Australia has no regulators to worry about and, besides, history shows that data security breaches in large companies rarely result in any noticeable long term loss of business).
8. Keep IT security spending at bare minimum and ignore IT security team reminders of the incident. What incident? Something about APT?
In my experience, the only time it plays out differently is when some form of regulator is involved (for example, PCI DSS and the Payment Card Brands). If no one holds a big stick over the company, little changes regarding their long-term corporate security practices and mind set.
As an industry, we must remain vocal and continue to push for change. No one else out there knows the extent of how bad things really are in data security these days.
If we don't speak up, who will? As usual, I welcome your thoughts.
Drazen Drazic is managing director at Securus Global.