Last year, when Target's CEO and CIO resigned in the wake of one of the largest thefts of payment card info in history, a seminal moment seemed to have arrived: At last, C-suites everywhere had been put on notice. The consequences of not taking security seriously were abundantly clear.
Since then, unabated, the parade of household names beset by data breaches has rolled on: Michaels, PF Chang's, Community Health Systems, UPS, Dairy Queen, Goodwill, Home Depot, JP Morgan Chase, Kmart, Staples, and most notoriouslySony, where the consequences -- not only for Sony Pictures exec Amy Pascal, but for the storied brand itself -- were catastrophic.
In the face of such carnage, how is it possible that nothing seems to change? As InfoWorld's Roger Grimes proclaims again and again, the best practices to prevent successful attacks are almost painfully obvious. Prior to the 2014 attack, Sony's defenses already had a reputation for being thin. Roger used the Sony breach as occasion to remind us that "the overall state of computer security at most companies is pathetic."
Security awareness has climbed to extraordinary heights as a result of these breaches, yet one of the safest predictions you can make is that we'll see more high-profile disasters this year. Given the stakes, how could this be? Here's my speculation.
1. Playing the odds at the top
Security efforts cost money and dent productivity by adding extra steps to normal operations. No captain of industry earns accolades by reducing risk, but short-term profitability pays handsomely, and chief execs tend to change jobs frequently. What are the odds a high-profile breach will occur within a few years' tenure? Higher than a few years ago, perhaps, but as Arijit Chatterjee and Donald Hambrick observed in their landmark 2007 Penn State study, "It's All About Me," CEOs often display narcissistic tendencies, and narcissists embrace risk.
2. Listening to vendors
Security vendors are in the business of hyping the latest threats (to the point ofcreating logos for them) and selling magic bullets to combat them. Technically, these threats are real, but represent a tiny risk relative to such obvious attack vectors as exploiting unpatched systems. Believe the hype and you'll divert resources away from where they're needed most.
3. Caving to operational pushback
Let's say management gets religion and decides to eliminate the No. 1 risk in its organization, client-side Java. But then, uh-oh, several LoB managers pipe up to object that certain critical applications depend on client-side Java. In fact, a couple of crucial apps require older Java versions that are utterly exploitable. Does the company really want to bring operations to its knees while those apps are re-created using some safer technology? Or should that happen, say, during the big technology refresh planned for next year?
Sign up for CIO Asia eNewsletters.