CSO Breach SOP == FUD?
Last month, CSO Magazine ran an article “Avoid a Meltdown: Reacting to a Security Breach.” The article had some great advice on breach handling, however as usual, the magazine resorts to scare tactics in order to get its point across. It is articles like this that give CSOs a bad reputation for not understanding business needs or risks. CSO says:
Looking further into the business impact of the post-breach processes, we quickly see that the way an organization reacts to the security breach can make the difference between a minor financial impact and a complete corporate meltdown.
The real costs in any security breach are in the long-term financial impact and productivity reduction, not the immediate remediation costs
Except, they don’t actually ever support the claim. They don’t provide a single example of a company being significantly hurt by a disclosure. I personally, can think of one, and that is CardSystems. In fact, from the Alessandro Acquisito et al paper, that Adam linked to earlier today, we learn the following which completely contradicts CSO Magazine:
Our event study shows that there exists an impact for privacy violations. This impact is significant and negative, although it is short-lived.
This supports the anecdotal evidence, such as the fact that Choicepoint is now trading at prices that are more or less the same as before all of its disclosure issues.
And while I’m complaining, enough with citing the 1982 Tylenol issues as a business case. There is a big difference between dealing with a privacy or data leak and people dying because your drugs have been poisoned. Surely, the editors could find a more recent example where a management team has handled a major issue well, such as the one at Facebook?