The Key Takeaway from the Yahoo Breach
Breaches are now material to the survival of an organization
With every breach, heavily publicized or not, there are always takeaways available to those that are interested in learning from them. Yahoo and the now 3 Billion record breach is no exception. One can always learn about the specific vulnerabilities, whether technical or human, that the attackers exploited. One can learn about the complexity of forensic investigations, such as how hard it is for most organizations to know what, when, and how much data was stolen. And try and learn how to do it better in their organizations. One can also learn about how to and how not to manage a public response and the associated bad PR that comes along with it. And finally, security professionals can use publicized breaches - as we have for years – to try and impress upon our organizations the security risks that exist and prompt investments to mitigate them. Using the old, “never let a good crisis go to waste” strategy.
However, the one takeaway from the Yahoo breach, the Equifax breach, WannaCry and so many other global ransomware attacks, is that breaches are now more often material to the operation, health, and even survival of the victimized organizations. Historically, years ago, cybersecurity was in the backwater of an IT organization. Security wasn’t a priority at most organizations largely because the data leaks that did happen, while annoying, were not meaningful to the health and survival of the organization. Organizations had bigger issues to address. But as IT and digital business has grown along with the industrialization of cybercrime, this has clearly changed. CEO firings, stock drops, and M&A value impacts are now becoming commonplace for breached organizations. This is getting the attention of upper management and the chattering classes in the mainstream press, regulators, and legislatures. But will this make things better or worse?
The big question is will the rise of the materiality of security drive effective actions, such as investing in security programs over the longer term from a comprehensive risk management perspective with a better understanding of how to build out a Cyber Resilience strategy? Or, as is often the case, will the new importance of IT security drive people into blaming the victims, finger pointing, and devolve into the so-and-so must be fired mode of response?
If so we have clearly let a good crisis go to waste!