Bob Bragdon, fellow CSO blogger, and the magazine's founding publisher, recently posted some thoughts on the Target incident. It got me thinking, and led to me recalling conversations I had this past weekend in Washington, D.C.
"Could the retail industry (and other industries for that matter) do a better job defending against data breaches? Sure. But let’s try and be realistic here. As I gather with friends in the security business and mull over what we are seeing, many of us are shaking our heads and thinking, if not actually saying, 'if Target - a company that really got security - can get hit like that, what’s that mean for the rest of us?' Target is one of those companies that gets security, and they have for as long as I’ve been familiar with them. The fact of the matter is that they were the victims here."
The thing is though, this is the second time Target has been a victim; and that frustrates me, just as much as it frustrates many other security professionals (based on discussions I had with people at ShmooCon recently).
While they were mostly focused on TJX in 2005, Albert Gonzalez and his pals in Russia hit Target too. But the media focus was on volume, so Target didn't see much coverage then, TJX did, along with Hannaford Brothers and Heartland Payment systems.
Years later, long after that case was closed; Target knew they were at risk. All merchants are at risk, but in this case Target has already been hit – so you'd think their levels of awareness would be rather high.
Assuming that is true, then the major question is what went wrong? Where was the gap that allowed those responsible for this latest incident a foothold? I believe, as someone who has worked in and around InfoSec all his life, that Target "gets it" when it comes to security, but in this case, something has gone horribly wrong.
It isn't right to blame the victim, and Target is the victim, but I believe they need to be held accountable to some degree. In the end though, aside from fines and recovery payments, I also believe nothing's going to happen.
The fact is, no matter their faults, Target will recover. Analysts on Wall Street are already saying Target's a good buy. As to other firms that have suffered major breaches, TJX recovered, and is doing quite well these days. Sony is too for that matter. So what does the market value say about data breaches? Looking at the long term, it says that breaches don't matter.
It's an outright frightening situation. One I didn't consider until I held a conversation with a fellow ShmooCon attendee last weekend after a game of Magic: The Gathering. As long as the stock isn't impacted for the long term, some business leaders are fine with doing the bare minimum and nothing changes security wise. The more evidence there is that stocks will recover; the less likely it is that breaches will matter as part of the bigger picture.
Furthermore, it looks as if all a company needs to do is purchase some breach insurance, meet the required regulatory and compliance mandates at the time of assessment, and go on about the daily grind of conducting business. Again, the stock may take a hit in the event of a breach that makes international news, but it will recover, that much is fact.
Another unfortunate reality is that the cost of breach recovery can be included in the general cost of conducting business. Thus, focusing on the basics will be fine in the long run. You already see this mindset when corporations assume risk and are willing to pay fines or settle lawsuits rather than alter their security / business posture.
On the other hand, research from Forrester's Forrsights Security Survey shows that business leaders are spending more on security, but that data comes from a sample size of 2,100 business leaders globally, so it has its limits. The business leaders that are wanting to do more, are often prevented from being proactive due to budget restraints or business goals. If security is too costly, or it gets in the way of the business, then it's not going to happen. This is a reality that security professionals face on a daily basis.
In his conclusion, Bragdon made another valid point when he said, "we’ll [the security community] continue running, like hamsters on an exercise wheel, running and running but not getting anywhere."
Vendors in the security industry have all the answers it seems, and can offer solutions to many problems. Yet, businesses (both large and small) fall victim to the same attacks and the same vulnerabilities, year after year. If they feel like hamsters on a wheel, it's no wonder that InfoSec practitioners are suffering from massive burnout. If the very thing they're fighting to prevent might not even matter to the business in the coming years, the feeling of burnout isn't just understood, it's almost justified.
Share your thoughts. Do you think that breaches such as the one suffered by Target will matter in the long term? Why or why not?