Shostack + Friends Blog Archive


A Day of Reckoning is Coming

Over at The CMO Site, Terry Sweeney explains that “Hacker Attacks Won’t Hurt Your Company Brand.” Take a couple of minutes to watch this.

Let me call your attention to this as a turning point for a trend. Those of us in the New School have been saying this for several years, but the idea that a breach is unlikely to kill your organization is spreading, because it’s backed by data.

That’s a good thing for folks who are in the New School, but not so good for others. If you’ve been spreading FUD (even with the best of intentions), you’re going to face some harsh questions.

By regularly making claims which turn out to be false, people undermine their credibility. If you’re one of those people, expect questions from those outside security who’ve heard you make the claim. The questions will start with the claim of brand damage, but they might not end there. They’ll continue into other areas where neither the questioner or you have any data. If you make good calls in the absence of data, then that’s ok. Leaders always make calls with insufficient data. What’s important is that they’re good calls. And talking about brand damage no longer looks like a good call, an ok call, or even a defensible call. It’s something that should have stopped years ago. If you’re still doing it, you’re creating problems for yourself.

Even worse, you’re creating problems for security professionals in general. There’s a very real problem with our community spreading fear, and even those of us who have been pushing back against it have to deal with the perception that our community thrives on FUD.

If you’ve been making this claim, your best move is to start repudiating it. Get ahead of the curve before it hits you. Or polish up your resume. Maybe better to do both.

Terry Sweeny is right. Hacker attacks won’t hurt your company brand. And claims that they do hurt security’s brand.

[Update: I’ve responded to two classes of comments in “Requests for a proof of non-existence” and “A critique of Ponemon Institute methodology for “churn”.” Russell has added an “in-depth critique of Ponemon’s method for estimating ‘cost of data breach’.”]

23 comments on "A Day of Reckoning is Coming"

  • “the idea that a breach is unlikely to kill your organization ”

    This does not sound very ‘news school’ to me. What is the likelihood? What likelihood will you tolerate?

    This post actually reads like FUD aimed at an idea that breaches CAN kill orgs and (however that is defined) damage their brands.

    Also, it depends on the biz – breach might not damage Coca Cola brand, but might damage a swiss bank brand.

    • Adam says:

      Based on the datalossdb and also this post by Pogowasright, the odds of a breach killing an org are roughly 1 in 1000.

      We can probably get more precise about that. Small organizations, which sell B2B and are subject to easy substitution are more likely to be highly impacted.

      The odds of being told that a breach will kill your organization approach 1 in 2. 🙂

      • Dissent says:

        You just switched from a statement about a breach “hurting your brand” to a breach “killing your organization.” Those are two quantitatively (and somewhat qualitatively) different impacts. Are we all defining “hurting the brand” the same way?

        I forgot about CardSystems when I wrote my own blog response earlier today (thanks, Larry!)

        What I’d like to see Terry do – or you, if you’re so inclined – is to respond to studies that provide churn data and explain how that is not evidence of the breach hurting the brand if you think it isn’t evidence.

      • > the odds of a breach killing an org are roughly 1 in 1000.

        This IMHO is a HUGE probability (assuming we can call the odds that for a second) and not an acceptable risk for most CSOs, I would imagine. So, your post should have said: “FEAR THIS! The breach CAN kill your org!”

        And, given the odds above, I’d say that the chances of you being told that a breach CAN kill your org (as proven above) should always be 100.00%

        Topic 2: brand damage.

        Have we defined what “brand damage” is and how to figure out that we do NOT have it after the breach?

        • Adam says:

          Anton, if that’s a huge probability, can you tell me what words you’d use to refer to 1 in 100, 1 in 10, 1 in 2, or 3 in 4?

  • Prefect says:

    Breaches don’t generally kill an organization, certainly at larger scales organizations are affected, expend resources, but these are not generally business ending events.

    Then again, few things are, that’s not generally the threshold for problems that should be taken seriously (“if it won’t end our business, I don’t want to discuss it” – a senior mgmt guy who articulates this isn’t being rational).

    But aligning yourself with a marketing manager who makes vague reference to stock market price with no supporting data (stock price being a very complex barometer with many inputs not the least of which is human emotion), cites limited cases he doesn’t understand, and has the essential thesis that breaches simply aren’t that important, is probably not someone the New School wants to say is the bell weather for trends to come, much less someone to align its normally well thought out views with.

    Brand damage, brand in general, is as esoteric an asset as there is. People know it is valuable, but until someone is willing to pay for it, there is no real indication of its value (and even then, the buying entity could have over or under paid). To suggest that a company’s reputation does not suffer in a breach, especially a company that builds its “brand” around trust or security such as a bank, is to ignore evidence that consumers do in fact leave companies when their information is breached (Ponemon). To say that reputation risk does not exist, when news media will pick up the breach and articulates any relevant real or perceived irresponsibility on the part of the company based on mandated breach disclosure laws, is not a logical position.

    So the basically unknown dollar value of a brand is affected in a way that causes either a temporary or long term negative affect to that dollar value, amidst a sea of other factors simultaneously affecting brand value. That’s a hard problem, but it doesn’t suggest that there is no such thing as damage to a company’s brand via a security breach.

    Is Terry right that security vendors inappropriately market their products? Yes. Is he right that painting world ending events as the inevitable conclusion to not buying a security product is in essence the wrong approach? Yes. Does he take this to the wildly incorrect conclusion that you should relax, not be concerned that you were hacked, that it’s not a big deal? Yes.

    He can’t even respond to criticism (see video comments) in a reasonable way. George Hulme, who knows a hell of a lot more about security, took him to task in a professional way for not providing any evidence of his claims. Instead of responding, he expresses his surprise that InfoWeek would write that, and cites his passing, no numbers, research, or evidence provided, reference to the TJ Maxx breach.

    How do I know that TJ Maxx provides such a unique product (good clothes and cheap prices) that they were affected by the breach, but that the effect was covered by growth? Would the stock be even higher without the breach? Was the overall risk of the market considered in analyzing the stock price (or was it just “duh…the stock is higher now”). Is a retail store a brand that would be largely negatively affected by a breach? Does the demographic of the retail store matter, the idea that the identities stolen from TJ Maxx are probably worth less per identity than identities stolen from Nordstroms? Are there no reasonable alternatives to TJ Maxx, and therefore the switching cost is too high for their consumers, but another retail store with more direct competition would suffer customer loss. Did consumers feel their response to the security breach (which affects the press coverage and company reputation as a result) was adequate or good, or the breach so novel that no company could have effectively guarded against it, so they don’t appear irresponsible?

    Lots of questions, no answers, but Terry somehow knows. Here is the constant: bad press affects reputation, reputation affects brand value, and security breaches cause bad press. How much is the debate, not whether.

    I ignored this video until now though, because my first impression was “here is a marketing manager who doesn’t really understand security providing a misguided opinion on security”. It would be akin to me making a video rant on marketing, if I added something novel to the debate I might be taken seriously, if not I would be immediately identified as someone who knows little about marketing, is not an established knowledgeable authority, isn’t contributing, and be dismissed as an unimportant viewpoint.

    Which is fine, in a marketplace of ideas some are worth more than others and a person’s background lends weight to their viewpoints. Not credible positions are meant to be dismissed, that is until people with credibility start lending credibility where it is not due.

    Been hacked? Relax, Terry the marketing manager who doesn’t know anything about security says you don’t have to worry about it. Reassuring…

  • Larry says:

    One point I would like to make is that the use of the term “FUD” is outdated because uncertainty and doubt is itself a part of risk management. Risk management would be a lot easier if every decision I ever make would be 100% accurate. However, since that is rarely the case, there is always a certain level of uncertainty.

    Terry Sweeney cited several examples but what about the breach at CardSystems? Where is that company today?

    Another problem is that the criminals are becoming more sophisticated in their attacks. I don’t want to be the security manager of a company that is the victim of a breach that really does negatively impact customers. When something bad happens, the first question to be asked is, “Why didn’t you do something to prevent this?”

  • LonerVamp says:

    I felt a little sad for this guy when I watched the video. Perhaps it should have been longer with better backing of his opinion. But I find it otherwise just as preposterous as saying a hacking incident will kill your brand.

    First of all, he brought up McDonald’s and Walgreens. To note, neither McDonald’s nor Walgreens themselves were victims of a hack attack, instead the victim was a partner of theirs, Silverpop Systems, Inc. The real example would be whether Silverpop Systems, Inc. is suffering any losses or gains from this incident. Failing this simple understanding is cringe-worthy for using it to back a rather extreme viewpoint. Considering Silverpop is in the B2B space, it would make more sense that they’d be negatively impacted vs a retailer sort of experience in line with TJ Maxx or McDonald’s alone.

    Second, regularly making any claims that turn out to be false is a bad idea. This is a general maxim that has nothing to do with FUD or decrying costs of security incidents as a way to justify security. This would also include making claims that nothing will happen to your brand if a breach occurs…when in fact something happens.

    Third, what about security disclosures like those that feature annually at various BlackHat or Defcon events that cause lawsuits and job threats? Would security issues like RFID credit card weaknesses have an impact? What about banks who have wire transfer fraud and are possibly not doing enough to provide security to companies who end up footing hundreds of thousands of dollars in bills with money they simply don’t have on hand?

    Fourth, I agree with Prefect’s comment that Sweeny has good points and there are some truths to this situation, but Sweeny’s end assertion is somewhat ridiculous and unsupported.

    Only management can make an assertion on whether security incident X will be costly, not some talking head making dangerous generalizations.

    The problem with Sweeny’s message is how quickly this can be misunderstood and turned from “a breach won’t kill your brand” to “a security incident won’t cost you anything.” And that’s exactly how anyone unenlightened will take it.

    (Kinda similar to someone’s recent “Getting Off The Patch” article…)

  • ksec says:

    What did the cardsystems breach do to saavis audit services’ reputation and brand?

  • Roy says:

    It might not kill your brand, but a breach can still cause huge damage. A case in point is the ongoing issue with the European Emissions Trading System which has been shut down for a number of days as they try and counter a breach.

    This is a market with a turnover of 90bn a year which is now off the air.

    “Please respect’s ts&cs and copyright policy which allow you to: share links; copy content for personal use; & redistribute limited extracts. Email to buy additional rights or use this link to reference the article –

    “There is no point in denying that this is a pretty big deal,” said Henry Derwent, head of the International Emissions Trading Association in Brussels.”

  • Adam says:

    Regarding Cardsystems, if you have to go back 5 years to get an example, you’re dealing with outliers.

  • Dissent says:

    We don’t have to go back 5 years, as my blog post demonstrated with more recent examples of businesses that were killed by breaches.

    But the standard shouldn’t be “killed by a breach” for determining brand harm. While Heartland Payment Systems wasn’t killed, it was mortally wounded. If you look at their stock long-term, wouldn’t you agree they were harmed by their breach?

    Which raises another point: if your customers start filing class action lawsuits against you following a breach, would you still claim that brand hasn’t been harmed? Should we include lawsuits as another measure of brand harm?

  • Jay Jacobs says:

    I am completely on your side Adam, my gut is telling me that for non-“trust-in-us” companies, breaches aren’t going to influence purchasing decisions much. However, I think both sides of the argument are leaping to a conclusion prematurely. While we just don’t have accurate data to prove that security breaches cause “churn”, we also cannot conclusively disprove it. Almost all evidence of reputation loss is that I can find is based off of opinion. It’s further exasperated by misleading quotes like Mr. Hulme had:

    “According to a recent Ponemon U.S. Cost of a Data Breach Study, which is based on an analysis of 45 data breach cases with a range of about 5,000 to 101,000 records. This study found considerable customer defections as a result of the breach”

    Which is sad, because what it found is that people *felt like* a breach caused customer defections. The ponemon study says this about it:
    “Lost revenue: The loss of customers (churn) and other stakeholders because of system delays or shutdowns as a result of a cyber attack. To extrapolate this cost, we use a shadow costing method that relies on the “lifetime value” of an average customer as defined for each participating organization.”
    And what is this “shadow costing method”?
    “The survey design relies upon a shadow costing method used in applied economic research. This method does not require subjects to provide actual accounting results, but instead relies on broad estimates based on the experience of the subject.”

    So this “research” is asking people how they felt about churn, which is the same exact approach Terry Sweeney took, not very compelling in either direction.

    Perhaps the question can’t be answered by looking back. Perhaps we should be asking, “what we can start doing to measure breach impact on purchasing decisions moving forward?” In other words, if there was a breach at your company, can you put something in place now to estimate/measure how much “churn” the breach caused?

    • Jay Jacobs says:

      I wanted to add one more point on ponemon “shadow costing”, I’d like to say it stinks, but all I can say is that it doesn’t scale well with outliers, take the datalossdb page on TJX:
      Total known costs: $64,113,000.00
      Ponemon Institute Direct Costs Estimate: $5,640,000,000.00

      The difference between the two is this unmeasured “churn” and other soft costs, but that would mean they would have had to lose more customers than they had (around $4B gross revenue in 2006).

      • Jay kind of nails it. Sweeney overstates the case that his data will support. He makes a good point, but there’s no harm in scrutinizing his argument and data. But where is this scrutiny when it comes to the arguments and data on the other side? In infosec a lot of things seem to get a free pass so long as they generate support the argument we want to make.

        And when you ask them, “How much should we give?”
        Ooh, they only answer More! more! more!

        • Adam says:

          The burden of proof is on the claim that A influences B. Sweeney may overestimate, but if we want to change his mind, we’re going to need to bring the data.

          • LonerVamp says:

            Or if he wants to change my mind, he needs to bring better data… That can go both ways. 🙂 Otherwise we’re just slinging opinions we “think” we like best, and nothing is really defensible or attackable at the same time.

            I think most people have attacked his jump from Data ABC to Claim XYZ, and not attacked his claim at all, since you really can’t. I just don’t buy that large jump without some better definitions and study. I somewhat agree with his end claim, but not in a dangerous way that makes casual glancers of his claim think that security is value-less in the long run.

            Besides, “in the long run” if a company doesn’t die, then how do you prove that anything at all had a harm on its image/value?

  • marty miracle says:

    Quick show of hands. Of those of us who are required to give the picture of the impact of breaches to our companies/clients, who has stated that a breach could put them out of business?


  • jml says:

    I don’t have to say it; I just refer to the PCI Council’s SMB website:

    Left side, below the pretty stock photo, headline “Protecting cardholder data is good for your business,” bullet 3:

    “Helps you stay in business”

    I coulda sworn that an earlier version had reversed the sense, and said something to the effect that noncompliance increased the merchant’s risk of ~”Going out of business”~

    Oh; there it is:

    last bullet to fill out the “If you are at fault for a security breach, business fallout can be severe:” answers as to why you, as a merchant, should care.

    Now, that’s a highly modified breach-cost environment, and most of the negative cost impacts are in forensic QSA investigation costs, escalation to Level 1 (and compliance costs for same), ongoing ROC costs above SAQ costs… penalties… fraud losses… Oh yeah, and (maybe) brand damage. Which are quite likely to be game-enders for many small merchants.

    I have to say that I am impressed that the Council decided to be so forthright on their public SMB face. Now, if only they were more constructively addressing the cost and complexity of compliance for your average Level-4 stuck with a shiny state-of-the art POS system whose vendor reps are only barely aware that the app persists CHD after authorization..

    But that’s really a different kettle of fish.

  • jml says:

    Only in the context of PCI. I advise IT shops which generally include one or more Level 4 merchant environments.

    I generally reference:

    which contains:

    “If you are at fault for a security breach, business fallout can be severe:

    * Fines and penalties
    * Termination of ability to accept payment cards
    * Lost confidence, so customers go to other merchants
    * Lost sales
    * Cost of reissuing new payment cards
    * Legal costs, settlements and judgments
    * Fraud losses
    * Higher subsequent costs of compliance
    * Going out of business”

    Right there at the bottom.

    Remarkably candid for a large organization.

    I note that the brand damage isn’t likely to be nearly so much of a driver for business-EOL as entertaining forensic QSAs, escalation to Level 1 status, ROC versus SAQ, fines, etc etc.


  • Patrick Florer says:

    @Jay Jaycobs –
    If datalossdb is reporting $64M for TJX, then they are about $127M short, before accounting for accelerated CAPEX (which is not stated and hard to evaluate in any case.)
    Don’t believe me, read the SEC Filings from 2007 – present and work the numbers.


  • Mr Stuff says:

    Terry Sweeney always has some good info over at the CMO site. Love the guys stuff.

Comments are closed.