Shostack + Friends Blog Archive


Motley Fool on SIAC

Case in point: SAIC confessed in July that “information … stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases … transmitted over the Internet in an unencrypted form … was placed at risk for potential compromise.” In the context of other firms having actual knowledge of miscreants accessing their data, and in some cases using it in actual identity theft schemes, SAIC’s warning of “risk for potential compromise” sounds pretty tame. Still, the company has hired Marsh & McLennan (NYSE: MMC) subsidiary Kroll to help patch its security, and it would take at least $7 million to $9 million in charges in its second fiscal quarter to fix the breach.

What management does:
That won’t do any good for the trend of declining gross, operating, and net margins at SAIC. But to put things in perspective, the midpoint of the range SAIC posited, $8 million, represents just one-tenth of one percent of the firm’s cost of goods sold over the last 12 months. For a company this big, the financial cost of the breach isn’t a tragedy, folks. It’s a rounding error. (Motley Fool, “Foolish Forecast: SAIC’s Chance to Shine“)

I’ve been predicting this sort of response from the market for a long time. It’s nice to see it arrive at a respected consumer-oriented site.

6 comments on "Motley Fool on SIAC"

  • Alex says:

    I don’t know the specifics of this situation, but I can say with a degree of certainty that generic *transmission* interception using carrier infrastructure is a pretty low probability event (and therefore, not a particularly “risky” situation).

  • AlexCV says:

    It might be a low risk event but when your main customer list includes organization like the DoD and the NSA, you might be held up to a higher standard when contracts with those entities come up for renewal…

  • rybolov says:

    It might be a low-probability but in the event of a serious breach of government data, you can be disbarred. That means no more government contracts or business for 5+ years. If your business is diverse (ie, Federal business is less than 1/4 of your total revenue), then you probably can survive. For SAIC, Northrup, Dyncorp, CSC, and a handful of others that sell primarily to the government, disbarment means the end of your business.
    That also means that when you do have a breach, you have to overreact not because it’s rational to do so, but that you are demonstrating concern above and beyond what would normally be expected. At that point, there is not a cost that is too high because you’re fighting to keep the doors open.

  • Adam says:

    Except they didn’t overreact. (Maybe they did, but they didn’t get anywhere near the “cost too high” numbers–they stayed in rounding error territory.

  • AlexCV says:

    But with the current public view on security, a rounding error sized response is still above average. What would be the motivator to pull 100M$ out of their coffers to completely restructure their security policy and its implementation when they can do an 8M$ patch that will be perceived as “above and beyond” the necessary?

  • post a comment says:

    SIAC typo in headline

Comments are closed.