Three Envelopes, One CISO
I have one piece of advice for you. Whenever you have a breach, open each envelope in turn.
Blame your predecessor.
Blame your team.
Prepare three envelopes.
This was a perfect example of sloppy IT security and a CISO that did not implement proper privileged identity management, or a disaster recovery backup plan for continuity of business. The consequences were a loss of control over his environment caused by a focus on convenience of IT rather than the security of the enterprise.
This may well be true of course, and the Sony CISO may well have been incompetent in this instance. There is however a very real alternative possibility. What if the CISO had been very clear in the dangers in this case of convenience over security? And what if the board, or other senior leadership simply felt it was too “expensive” culturally and from the perspective of impact to the current productivity of the company. Sony is a strongly creative focussed business; it is not a bank, an energy company or in a regulated environment, so they are not forced to carry out particular security activities. The ability of their employees to not work as flexibly and without restriction could well be seen as a higher risk than that of a breach (even after the 2011 breaches).
Perhaps the cost of this breach will simply be a blip in the years to come.
The key thing though is that the business may well have accepted this risk and simply moved on, much as they would have accepted a financial risk and moved on. Sometimes financial risks results in massive downturns in business, and I don’t always see the CFO being pilloried on the first day without evidence – that is normally reserved for the CEO or Chair of the Board.
We seem to want to chop down the CISO as soon as something goes wrong, rather than seeing it in the context of the business overall.
Let’s wait and see what actually happened before declaring his Career Is So Over, and also appreciate that security breaches are not always the result of poor information security, but often simply a risk taken by the business that didn’t pay off.
I’m off now to get my PS4 in a fire sale.