Solving Security Problems With Money
Have you ever read something that is meant to be funny, kitschy, but ultimately ends up being ridiculous?
I read that and chuckled to myself. Then I read the replies…
“This is why we’re in such shit shape” — was my first reaction.
So why such a strong reaction? Because quite frankly it, I suspect accidentally, lampoons security professionals. Look at all the people chiming in and making fun of someone who would sanely hire a PR firm to help during a breach! The immediate jump to defend the guy who blindly says “increase the security budget” is not only crazy, in my opinion, but demonstrates how little so many of us in security actually understand about the world around us.
While I will concede there are many times where security organizations were breached as a direct result of lacking budget, I would venture a guess that number is far less than people commenting on this post would think. Furthermore, if “more money” solved problems we’d have world peace by now with the amount we’ve poured into the military and conflicts.
What should you do after a breach to restore trust in your company?
- First — hire an independent investigator and a data breach attorney/firm. Get to the bottom of what happened, how, why, and who needs to know. Notify those people as quickly as possible, but do so in a manner that conveys poise, professionalism, and calm. If you don’t know what happened, the rest doesn’t matter.
- Second, hire a PR firm to help you get your version of the story out (this is important because as Chris and I mentioned in a previous episode of Indistinguishable from Magic — people will make up their own stories to get in front of the camera and you lose what’s true quickly.
- Conduct a review of your liabilities — figure out what the potential damage is, and get ahead of repairing that damage… this means don’t hide from mistakes.
- Conduct an independent 3rd party review of your cyber security program — top to bottom. Start with how your organization is positioned in the company, organizational structure, budgeting, process execution, and operational maturity.
Seriously, though, friends and colleagues — let’s grow up and knock this ridiculous shit off. It’s time to mature as a group, and the “we just need more money” cry is getting old and tired. Also, it’s probably the wrong answer. Stop. Analyze. Then respond.