As we are devising new strategies and techniques so our businesses are not in the news, our business is not worth the time of the hackers etc.
I want to ask the question is risk management as a methodology really serving us well?
Sure we justify and enumerate how much money to spend on security efforts.
Here Aceds (Association of Certified E-Discovery Specialists) is discussing the first lawsuit to hit Sony by its employees
The law suit claims corner cutting (trying to save money):
“On Monday, plaintiffs representing more than 15,000 current and former Sony employees sued the company in a Los Angeles federal court, alleging it acted negligently in failing to safeguard its networks from attacks – and moved too slowly to mitigate the fallout when the breach became apparent.”
Most interesting to me was the quote by Sony Pictures Executive director of information security jason Spaltro:“It’s a valid business decision to accept the risk,” told the website/magazine CIO in 2007.
It is interesting to note that in the last 12 years one had many moments of “risk managment” decisions and now the decisions bore fruit. The intruders owned the entire environment, do we really have to wait until after we get hacked?
I think we should take a different approach:
My business will not get hacked because I am doing what it takes… X Y and Z . Post it so everyone can see. and force the competitors to spend money as well.
Install next generation firewalls(with intrusion prevention systems), anti virus on desktop, compliance connected rollout for patching all desktops.
I guarantee you these costs are less than a lawsuit after you are breached.