The recent Sony breach attributed to North Korea is only the latest in a series of Sony hacks that trace back to 2005. Most news stories point to the recent breach as an example of why corporations should take information security more seriously. Sony is being used as a cautionary tale of what awaits companies that fail to heed the advice of their CISO. However, if you step back for moment and break down what happened and the actual consequences a different perspective comes into focus.
To set the stage lets do a quick recap of the events of the most recent breach. During November 2014, Sony was compromised by an organization calling itself the Guardians of Peace (GOP). The compromise resulted in at least five unreleased movies being leaked online, exposure of payroll information of over 6,000 employees and an estimated $35 Million in IT costs. Sensitive internal emails were leaked and some staff were reduced to using paper and pencil to conduct business. Not to mention the political furor that resulted when North Korea was accused of the breach. Taking all of this into account, you would assume Sony Pictures was devastated. Think again.
Yes, Sony suffered huge financial losses from the breach. Yes, there was brand damage from news of the breach and the contents released. However, the financial numbers tell a different story. Sony reports that the investigation of the breach cost $15 Million and the IT costs were $35 Million. Still, Sony is reporting that the majority of the costs will be covered by insurance. Michael Lynton of Sony stated,
“I would say the cost is far less than anything anybody is imagining and certainly shouldn’t be anything that is disruptive to our budget.”
It is estimated that the breach represents less than 2% of Sony’s projected sales for 2014. Sony stock prices are also currently above the price at the time of the breach and even the price prior to the breach. Additionally, Mr. Lynton stated that no one in senior management is being held responsible for the attack. According to Mandiant, “90% of Corporate America would have fallen to such an attack.”
You can point to the resignation of Sony Pictures co-chairman Amy Pascal as an impact. You need to look closely at that as well. Ms. Pascal stepped down not because of the security implications but the political fallout from the internal emails that were released.
If you go back further in time you can find evidence that Sony was aware of issues with its security posture well before 2014. In 2007 Jason Spaltro, Executive Director of Information Security at Sony Pictures, was advised of the information security risks facing Sony Pictures. He reportedly felt that it was an acceptable business risk not to mitigate the vulnerabilities. As an example, he didn’t think it was practical to invest $10 Million to prevent a $1Million breach. Obviously, the most recent breach was bigger than $1 Million but that thought needs to be explored.
So lets step back for a moment and think about what we can learn from this. Most importantly Sony Pictures is still in business. They are continuing to release movies including the upcoming film Pixels. The Sony CISO was not fired. Actually, the position was vacant at the time of the breach. As near as I can tell from the outside Jason Spaltro is still working for Sony Pictures. So what was the real impact?
If there is any lesson to be learned from this exercise it is that we as information security professionals need to be mindful of the business impacts of a breach. For years we have touted doomsday scenarios where a breach could put a company out of business. That is clearly not the case for a large company like Sony. We need to change our message to focus more on the true costs of a breach and what the company can endure. Ideally, we want the best security and defenses. When we assign a cost to that though, it may not be achievable. I believe we have a duty to warn our leaders of the risks of breaches and provide an accurate estimate of the impact. Easier said than done but it is something we must strive for.
We all know that breaches cannot be completely avoided. How we prepare and respond to them is the difference in how much they will cost our organizations. We also need to recognize that how we convey this message will directly affect the resources we can obtain to curb the damage. Company executives are looking around seeing the after affects of massive breaches. Ultimately, they may not all see this as a call to arms to defend the IT infrastructure. Responses to this information vary. Some are seeking better defense, some are seeking more breach insurance and some are shrugging, figuring that breaches are simply the cost of doing business. After all, Sony, Target and Home Depot are all still in business and making profits.
To be clear I am not advocating we simply accept a lower level of security for our organizations. We do need to change the message though. Never before have CISOs had a greater opportunity to guide their organizations. We must guide them to risk based decisions that match the organizations risk tolerance. Simply touting the disaster that will follow a breach is not enough. We need to frame it in the context of how much it will cost and what follows. We need to have realistic planning and conversation on how we will manage the organization post breach. The CISO who can effectively navigate this problem and convince the organization to bring the appropriate resources to bear will have fully realized the purpose of the role.