Tradeoffs For Accepting a Lower Security Posture

Posted on 3 min read

Leaders sometimes don’t understand what they’re truly trading off.

Yeah, it might keep you up at night sometimes. You know your security posture isn’t what it should be. But look around us…look at Target or The Home Depot. There was an impact on the stock but then a recovery. They paid some fines and had some other things to do, but from a stock- and future-of-the-company perspective, they’ve fully recovered after those breaches. Our data’s still in Equifax even though they got breached.

Can you justify the expense to lock it down when the penalty is not that high?

When you look at the silly numbers from analysts and research organizations about the average cost of a breach, or the cost per record compromised, here are some of the things you miss.

  • The true cost of a breach also includes how much a breach interrupts the work of the company because of how many hands are on deck to recover from it. Not just in your security or technology organizations either. The sales department has to be trained to answer customer objections. And yes your deals might still close but how much business gets delayed?
  • What are potential brand and trust losses that they may be facing, and how do you measure them?
  • There’s going to be a significant cost in loss of morale in employees. Any time your organization is in the news for malfeasance, your employees hear about it at home and from their friends. It wears on people. Employee effectiveness will drop across the board, even if just a bit. Folks will start to look for new jobs, but you won’t be able to measure how many for months still.
  • It’s going to take a long time to measure, but how hard is your recruiting after an incident?

More broadly, running a business as interrupt-driven is highly ineffective and highly disruptive to creating stability. This applies to your organization pre-breach as well.

  • If security isn’t early in your process, you’re always going to be backing up. How much wasted developer and tester time (not to mention schedule delays) are you causing versus paying a security engineer to inject these things earlier in the process.
  • Even in more mature organizations, take the example of a bug bounty program. Compare the 25 emails and month it takes to evaluate if the bug is real, assess its impact, and close a bug at that stage versus the single day it would take to fix if discovered internally and by someone who was already in all the meetings and understood the context and potential impact. The payout for the bug itself is nearly irrelevant.