Hannaford spending in RIGHT place?

Recently, Hannaford’s CEO announced that his company would “spend millions” to improve their security posture and prevent further data breaches. This is a laudable stance; however, it is also an example of what I call “The Recency Trap” … when organizations respond to a recent event or change in circumstance and often over-invest or invest in the wrong places (often both.) It’s like when the E&Y employee left his laptop on a bus and some C-level knuckle-head there decided it was a good idea to mandate encryption on all 22,000 E&Y laptop hard-drives. Are you kidding me?! That is one expensive fix – and one that would have most likely been implemented incorrectly anyhow — but worst of all is that it ignores the REAL threats that a company like E&Y are facing. Why spend that money on hard-drive encryption at the expense of other business continuity, training, and data protection initiatives that would yield higher returns and mitigate more risk?

Similarly, why should Hannaford spend millions on intrusion prevention systems (IPS) when that wasn’t the major problem? They had malicious code implanted on their systems and IPS can’t do ANYTHING to protect against software security issues or people taking advantage of known security flaws to exploit a system. And they certainly can’t help the company if an insider with access installs software on a server. They are spending lots of money yet ignoring the bigger issues… they are taking their eyes off the ball, imo.

Companies are spending WAY too much money on network infrastructure defenses and way too little on things like awareness training, software security, and data leakage!  Studies from Gartner and NIST indicate that between 75-92% of security vulnerabilities are due to flaws in software; yet, they also report that over 90% of IT security spend is on perimeter security such as firewalls and IPS. This demonstrates two things to me:

1. CIO’s (who have buying power) don’t understand the real threats
2. CISO’s (who don’t have enough power to open eyes) may understand the real threats but can’t do anything about it

There IS NO PERIMETER anymore. And most of the perimeter/network defenses are USELESS against the software problem and the insider threat.  Criminals are going after retail and web sites with large customer databases that contain credit card data, CVVs, name, and addresses. Why? Because this info is valuable and can be sold WITHIN MINUTES of it being stolen. And most criminals take advantage of known security flaws in applications and operating systems. Spend your money on properly patching your systems and hardening your applications!The fact is that most applications are rushed into production without security testing. Companies fear that writing secure code will cost too much, but there are many data points that prove otherwise:  1.) insecure software is much more expensive to maintain and patch… and oh yeah, it can also cost you millions if it causes you a data breach, and 2.) once you know how to write secure code, it doesn’t take any longer to create an application than if you wrote it insecurely. 

Hannaford would be much better served writing properly secure code to protect their customer data at the source (and demanding that the vendors they buy software from do the same) instead of spending millions at the perimeter on network defenses that will make them no more secure from the attack that breached them.