Stop sinning with complaints about the coffee budget
Someone respected wrote on a private mailing list:
“If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.” — Richard Clarke, keynote address, RSA 2002
To which, verily I say: Doom!
Doom!
You commit the sin of false comparison! You have angered Furlongeous, god of measurement! We are doomed to wander the wilderness for a hard-to-predict number of fortnights!
Hie! Hie! Burn them before they anger the gods further!
But this is not just false comparison, it is coveting, and after we burn them, we must gouge out their covetous eyes!
I can appreciate that in the current landscape there are significant risks to companies and that the responsible thing to do in light of those risks is to make certain the security budget is in line with the level of risk to the business (for example, Diginotar really should have invested quite a bit more in security given that it evidentally was possible for a single breach to kill the company). It frustrates a lot of security folks to see companies that don’t do that, and so I don’t think Richard Clarke’s opinion is terribly unique.
The problem is, no company should have to invest to protect themselves anymore than we should live in a society where a person should be responsible for his/her own safety walking down the street. The only time an entity deserves to have bad things happen to them is reciprocity for bad things they do to others. We can certainly say that not taking certain precautions is foolish, but that is not the same thing as saying that the outcome is deserved.