Shostack + Friends Blog Archive

 

Holding a Lighted Brand up to Damage

Adam comments on some breach commentary, and quotes Nick Owen saying that breaches are a sign of incompetence.

I can’t let this stand un-commented-upon. I believe that that is a dangerous comment, and one that needs to be squashed early. It’s like saying that a bug tracking system with lots of bugs in it is a sign of engineering incompetence. It actually means the opposite. A truly incompetent management team wouldn’t know they’d been breached. A slightly less incompetent team would bury it under the rug. This is true for software developers as well as operations people.

This is a very dangerous comment because it rewards the truly incompetent who don’t know how screwed up they are. It is a dangerous comment because it rewards the mendacious, who hide that they’ve been breached — or who design their operations so they won’t know when they’re breached. Stop. You’re going to set us backwards if you keep that up.

It doesn’t matter how good you are, some day you will be breached. Accept that. As a consumer, that’s a mildly unpleasant thing to think of, but it’s true. However, you want people who lose your data to have the wit to know they’ve lost it, and the morality to own up to it.

I also want to comment on Allan Friedman’s comment about Iron Mountain, as I’ve noticed the same thing, that many breaches involved Iron Mountain losing tapes. But I’m not an economist, I’m a guy who’s spent times in operational groups, and I have an alternative hypothesis.

Let us assume an organization that makes daily backups and sends them to a data warehouse. Let us suppose that the tape monkeys have a Very Bad Day. Sam’s on vacation. Ginger broke up with her boyfriend and came in late. Two tapes verified bad and had to be re-done, Networking misconfigured something and you couldn’t get to C Building at all. The Iron Mountain guys come in to get the tapes from you, and you tell them the horror story. They say hey, no problem, just give them what you have. They’ll take it off to the warehouse, and as long as there’s no disaster tomorrow, it’ll all be taken care of in the next incremental. The CIO never has to know. Whew! Thanks, Iron Mountain! You’re a life saver.

Iron Mountain is being smart. The real customer is the supervisor of the tape monkeys, and if you help him shine, he helps you shine. Alas, they’re being smart until lost data is not simply a gap in the backup history, it’s a breach. Then this habit of mutual back-scratching all falls apart. If someone does an audit and finds out that a backup of the Order Database is missing, Iron Mountain takes the fall. All the paperwork says that the database was backed up, put onto tape 1723-A5, and sent to the warehouse. And therefore, so it was. Iron Mountain can’t say, “Um, actually, for years now, we’ve been covering for our customers and letting them claim data was in the warehouse when we all know it wasn’t.” They just have to take it on the chin.

You know what? The real customers, the tape monkeys who have been let off the hook yet again know that Iron Mountain kept them out of even bigger trouble. They know that the Iron Mountain guys can’t let them hand over an empty box any more. But they aren’t going to switch to another company, either.

My hypothesis could be wrong. I don’t know if it is. I can’t admit to ever having been in a situation like my hypothesis. I am, however, a cynic, and I know that if Iron Mountain were in the habit of losing tapes, it may or may not show up in their stock price. But if they were in the habit of making the tape monkeys look more competent than they actually are, it is consistent with observed phenomena. It doesn’t mean my hypothesis is right; heck, the magic blue smoke theory of semiconductor physics is consistent with observed phenomena [link to http://www.microwaves101.com/content/microwavemortuary.cfm no longer works]. But when I noticed Iron Mountain showing up in a number of breaches, the smoke I smelled seemed to have a hint of electrolytic capacitor in it, and whiff of insulation.

6 comments on "Holding a Lighted Brand up to Damage"

  • Note well Allan F’s comments about the difficulty of measuring the price effect. This makes sense if you consider that security is a small part of the most businesses, and it is risk after all, so we expect a few breaches.
    Management aren’t incompetent, but they are probably ignorant. If you are lucky, management has an MBA, and if he or she was lucky, that included 1 or 2 lectures on the entirety of IT. In a market where security (whatever that is) cannot make a lot of difference to the bottom line, management are best off ignoring it.
    You have a choice as a manager: listen to some salesman who is talking nonsense, and has no better strategy than to try to force you to CYA with some accusations of incompetence, or wait for the breach, which will give you hard data on just what you need to do.
    Which looks cheaper?

  • Adam says:

    Great post! Nick’s post, unfortunately, drives the embarrassment side of the story, and I hate that. Embarrassment bad. People work to avoid embarrassment. They dont give me data points. Not having data points makes me sad.

  • Nick says:

    To be clear: I said that breaches are sign of lack of competence not incompentence. And there is a difference in this context. I should also be clear: I’m not talking about brand damage – I would not have the competence to measure that. I’m talking about stock price and company value. My post should also be taken in context of my post on frequency of breaches: http://www.wikidsystems.com/WiKIDBlog/where-are-you-on-the-normal-curve-of-information-security.
    My point is this: If there is one breach, there likely have been or will be more. As an investor I would say, “these guys can hang on to their data very well.” Then I would ask: “Does it matter?” If they are a retailer, I suspect not. If they are a data broker, I suspect yes. If the company handles it well, I will add back points for a good recovery. I might think: “They may have a lack of competence in information security, but they understand PR and marketing and that is what matters in their market”.
    I also don’t see how my post rewards the mendacious. The mendacious are rewarded when they aren’t caught. The potential embarrassment existed before my barely-read post. Embarrassment is no longer the driver in breach disclosure. It used to be that if a breach was discovered and not disclosed the result was more embarrassment. Now it is (in most instances) against the law.
    Top management needs no knowledge of IT and information security for a company to be competent in IT and information security. They need only to hire well, manage well, etc.
    I like Ian’s point, though. I would interpret it thusly: Don’t worry too much about security, but be ready with a PR/spin plan when you’re breached. There might be an agency issue in that the plan might call for some people to be sacked and you don’t know where that might stop.

  • Mordaxus says:

    Adam, I think security issues need to be a form of public health issue. Nice people get cancer. Nice people get heart attacks. Nice people get STDs. Nice people also have their airliners occasionally fall out of the sky, too. While there is pleasure to name-and-blame, it is not a pleasure that makes the world a better place — kinda like smoking.

  • Mordaxus says:

    Nick, forgive me, btu I think that “lack of competence” and “incompetence” is a difference without distinction. I’m no particular fanboy of the law of the excluded middle, but if you sayd, “Mordaxus, I didn’t say you are incompetent, I just think you have a lack of competence” I wouldn’t say, “Oh, that’s all right, then. Sorry I took offense.”

    The point you are making — that if there is one breach there may be others — has merit in a vacuum, and I don’t disagree. However, stigmatizing bad news has consequences and those consequences are not good for society. It creates value for hiding bad news. We need to create value for bringing good news out.

    In addition, I think you’re being naïve. Everyone gets rooted eventually. Yes, being rooted is bad. But no matter how good you are, someday you’ll not patch that PHP server in time, or someone will launch a targeted attack against you. It’s going to happen.

    Consequently, very low rates of reported breaches are as bad as high rates. High rates may say something bad about competence, or it may say something good about detection and response. Low rates may say something good about prevention, or it may say the organization is organically or willfully blind.

  • Nick says:

    Mordaxus:
    No apologies necessary! I think this is becoming a conversation best had in person (with beer, needless to say), like an email conversation that gets too long. I see what you’re saying about connotations of words like “competence”. But I guess for me it has a b-school connotation of “Core competence”. As an investor, I would expect a data broker to have IT security as a core competence as I would expect a Wal-Mart to have IT logistics as a core competence.
    Everyone gets “rooted” but they don’t always disclose personal non-public information – and “breached” to me connotes lost PPI, which is part of Tim’s original post on brand damage.
    Your post indicates that I should not use words like “incompetence” or people will stop disclosing breaches. My post was about how an investor would value a stock that suffered a breach. Perhaps I should have been more clear that I meant “to an investor a breach is an indicator of a lack of competence and they must evaluate factor in their estimate of the stock’s value”. (Many probably also think about how a breach will impact other investor’s estimates of the stock’s value. Perhaps that helps explain Allan’s TWX gif.)
    I see what you mean by my choice of words has the potential of stigmatizing breach disclosure, but I also happen to think that it is how investors think and thus is fair game for discussion vis-a-vis the impact of breaches on stock price (nee brand damage). You are thinking that it is bad to stigmatize breaches. I am trying to understand how breaches stigmatize (specifically a share price).

Comments are closed.