Tuesday, December 10, 2013

A Breach is Not a Failed End State (get over it)

I struggled with the right way to start this blog post, but ultimately I settled on the most blunt approach which is the naked truth.

There are those in our security community that feel that a breach is a [failed] end-state. To me, these people fundamentally don't understand security in the modern context.

Before you start writing your comment to scold me for my directness, consider this... how many organizations can you name that can honestly claim that they are 'secure' - with evidence to back that up? Conversely, look at the tremendous number of organizations, enterprises and, yes even government entities that have been breached and not only survived the breach but are inexplicably thriving as an aftermath.

If the fact that a company's stock can look like the below graph (thanks Adrian, brilliant graphics work) after a breach boggles your mind, read on. Even if you get it, read on anyway ... maybe you'll find something to disagree with?

I've been going on and on about this topic for a while now, but let me be clear on my stance - everyone gets breached. I firmly believe there are two types of companies/organizations: those that have experienced a breach and those that don't know they have. This seems to be a universal truth more and more as I and my peers venture into organizations who claim to be "secure" only to find broad and rather obvious evidence of either past intrusions and exfiltration - or worse - active intrusions on the corporate assets. Depending on how you define an intrusion it's virtually impossible to find an organization without some active threat or adversary inside their prized assets. There is simply too much to protect in security*, but I digress.

Let's take one of the largest, most prolific breaches in recent memory - the TJX breach. I can recall that at the time of the breach there were plenty of high-profile folks, including some in the media, who called for their immediate demise. To be truthful, even I (being young(er) and naive) believed that the breach would be their undoing. Well, suffice to say we were all wrong. Check out the company's stock courtesy of Adrian's graphical handywork:

So what gives? If the company's stock drop was simply a blip on the radar to an otherwise wildly profitable company - why bother with security at all? Granted this was more than a few years ago - but is anyone reading this foolish enough to think that consumer sentiment has changed that much? I dare say not. Furthermore, I know what some of you are thinking ... this is the retail sector and retail shoppers are notorious for not really caring much about a credit card breach because ultimately credit cards are trivial to replace and rarely does it mean financial loss for the customer. More of a nuisance, really. True. Other industries and market segments of course will wildly vary, and I don't claim to have insight into every market segment.

Here's my logic.

  • Even the best-run, best-staffed, best-equipped security organizations are overwhelmed with operational tasks and there is bound to be some avenue or attack vector you leave unguarded for even a split-second
  • Attackers will exploit this weakness and breach your organization
Now, this is where it turns into a "choose your own adventure" book (remember those?)... the good security organizations think beyond simply preventing a breach and are always in detection mode, ready to respond to the intrusion and resolve any incident and consequently learn from it. Poorly run security organizations just get breached, and pandemonium ensues when they eventually, often accidentally, figure it out.

There are a number of factors that contribute to successfully riding out that inevitable dip in confidence and likely stock price:

  • How effectively your organization communicates the issue
  • How truthful your organization's communications are
  • How transparent and open your organization is about the breach or incident
  • The timeliness of notification of individuals, and the public, put at risk
  • The level of accountability your organization takes
  • The ultimate scope of the breach or incident (for example, was the entire database stolen, or did the attacker only get away with 1/4 of the records before they were stopped?)
  • The speed at which the issue is resolved
  • What changes your organization makes, tactically and strategically, to your defensive posture as a result of the lessons learned

Now, assuming you do a reasonably good job at the bullet points above, you may ride out the issue just fine, and in fact may come out of the poop-storm smelling like a rose! Of course the court of public opinion gets to determine how well your organization is perceived to do, and the standard goes up with each major breach). You will of course be measured against yourself in a previous breach (consecutive breaches inside your organization get less and less sympathy from your customers, partners, and the media), and your competitors - so it's not a low bar to get over necessarily.

When I explain this to CIOs and CISOs, I often find myself saying that the big issue isn't that you are experiencing a [perceived] catastrophic breach, but the true issue and Enterprise Security's responsibility is to "shorten the dip" (in the case of publicly traded companies). The better your security organization is the more integrated it will be throughout the company into legal, risk and yes even PR and marketing. The better you do in managing the incident and public perception the shorter that dip in stock price will be, and the less likely you are to hurt long term.

In fact, and this is shown up in the graphic above, there is a very good chance that even if your handling of your breach is mediocre, you will still get some tremendous exposure to new people, and will get a chance to set a high-bar for the next organization to follow. Consumers, partners and clients understand that and largely respond to it. In the case of the Buffer compromise** the company was transparent, did all the right things to mitigate the compromise, and then rolled out quick fixes... and where I wasn't a customer before I was so impressed with their handling of the incident I'm a Buffer user now. Go figure, a breach brings in new customers...

There you have it. That's my thinking on why a breach isn't a failed end state but rather an opportunity for enterprise security to shine and actually drive the company's position and confidence in the enterprise forward.

* There will be more (much more) on this later as it necessitates a separate thread of discussion.
** If you're interested in hearing an interview on the BufferApp compromise and how they fared - check that out here on my Down the Rabbithole podcast. (shameless plug)

1 comment:

Unknown said...

"There is no such thing as bad press" but only if you handle it right and are loved by the public. I would disagree with the binary approach of "those that respond well vs those that respond badly" because public perception of the brand name in question is vital too. If Virgin got hacked versus BP, I would guarantee Virgin would come me out better if all things were equal purely because of public opinion of the brand.
I don't think there is a clear answer regarding if a brand will recover or not, but there is more to it than just their ability to react.