Shostack + Friends Blog Archive


Predictably Apathetic responses to Cyber Attack

Wh1t3Rabbit has a great post “Understanding the apathetic response to a cyber attack:”

Look, Dana’s right. His business is the organizing and promotion of the UFC fights. Secondary to that business is the merchandising and other aspects of the UFC – but that probably is a significantly smaller portion of the overall company revenue. Now where does the website figure into all this? Sure, it’s the web home of the UFC, and people probably hit it a million times a day to get the information on upcoming fights, video clips and such … but at the core of the question is does the website make Dana White money? Judging by his response (NSFW) to the hack – the answer is probably “not enough for him to care a whole lot”. This is interesting.

I wish he’d stopped there. The answer is that business often doesn’t care, because we don’t communicate effectively about why the business should care.

We as a community have two choices. We can bitch and moan about what the people who pay us need to do, or we can ask what we need to do to change things.

I have a strong opinion about which will make us happier in the long run.

Raf (Wh1teRabbit) goes on to make some really good points about why the business should care. So why do I wish he’d stopped? Because it distracts from the issue that he drew attention to, which is our failure to effectively communicate with the folks who pay us. Here’s a guy who might be making a boatload of money from his website, but doesn’t get how it contributes to his bottom line. That’s a failure on the part of the CEO’s geeks to make sure they get credit for a revenue stream. And that leads to a failure on the CEO’s part to care about what they do.

So, how much time are you spending learning to speak executive?

2 comments on "Predictably Apathetic responses to Cyber Attack"

  • The other guy says:

    “The answer is that business often doesn’t care, because we don’t communicate effectively about why the business should care.”
    There is always the option that we don’t understand the business like we think (being security experts, but no more). It’s not always a matter of communication. Some time it’s the right thing not to invest in security.

  • adamo says:

    I read two books to learn that. First one “Winning as a CISO”. Not very happy with it, for it pictures an ideal setting where everything works like clockwork and incidents just happen. And then I read “Real World Operations Research” by Gene Woolsey. All sorts of valuable advice, including “upstairs” speak.

    But one must always remember: The best way to learn to speak executive, is to practice it. I try not to miss an opportunity to do so.

Comments are closed.