Solving Security Problems With Money

Have you ever read something that is meant to be funny, kitschy, but ultimately ends up being ridiculous?

I read that and chuckled to myself. Then I read the replies…

“This is why we’re in such shit shape” — was my first reaction.

So why such a strong reaction? Because quite frankly it, I suspect accidentally, lampoons security professionals. Look at all the people chiming in and making fun of someone who would sanely hire a PR firm to help during a breach! The immediate jump to defend the guy who blindly says “increase the security budget” is not only crazy, in my opinion, but demonstrates how little so many of us in security actually understand about the world around us.

While I will concede there are many times where security organizations were breached as a direct result of lacking budget, I would venture a guess that number is far less than people commenting on this post would think. Furthermore, if “more money” solved problems we’d have world peace by now with the amount we’ve poured into the military and conflicts.

What should you do after a breach to restore trust in your company?

  • First — hire an independent investigator and a data breach attorney/firm. Get to the bottom of what happened, how, why, and who needs to know. Notify those people as quickly as possible, but do so in a manner that conveys poise, professionalism, and calm. If you don’t know what happened, the rest doesn’t matter.
  • Second, hire a PR firm to help you get your version of the story out (this is important because as Chris and I mentioned in a previous episode of Indistinguishable from Magic — people will make up their own stories to get in front of the camera and you lose what’s true quickly.
  • Conduct a review of your liabilities — figure out what the potential damage is, and get ahead of repairing that damage… this means don’t hide from mistakes.
  • Conduct an independent 3rd party review of your cyber security program — top to bottom. Start with how your organization is positioned in the company, organizational structure, budgeting, process execution, and operational maturity.

Seriously, though, friends and colleagues — let’s grow up and knock this ridiculous shit off. It’s time to mature as a group, and the “we just need more money” cry is getting old and tired. Also, it’s probably the wrong answer. Stop. Analyze. Then respond.




I’m Rafal, and I’m a 20+ year veteran of the Cyber Security and technology space. I tend to think with a wide-angle lens, and am unapologetically no-bullsh*t.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Token Name: Dinodot

9 Steps To Take To Keep Your Twitter Account Safe From Hackers

At PrivacySwap ,One session was not enough to sit down and talk about phishing scams in the DeFi…

Top Security Trends for 2021 (and What They Mean for You)

Liquidity Reserve Predefined Policies.

What if … you had to comply with GDPR

TryHackMe — Making Gods From Mere Mortals

Korea’s Internet Security Agency readies blockchain identity app for employees

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rafal Los

Rafal Los

I’m Rafal, and I’m a 20+ year veteran of the Cyber Security and technology space. I tend to think with a wide-angle lens, and am unapologetically no-bullsh*t.

More from Medium

Is The Cost Of Predictive Cyber Security Worth The Investment?

REsurfaced: REvil is back

CYPHERDOG SECURITY: Securing The Cyberspace!

Who’s in charge of security in your company?