Shostack + Friends Blog Archive


Your career is over after a breach? Another Myth, Busted!

I’m a big fan of learning from our experiences around breaches. Claims like “your stock will fall”, or “your customers will flee” are shown to be false by statistical analysis, and I expect we’d see the same if we looked at people losing their jobs over breaches. (We could do this, for example, via LinkedIn and DatalossDB.)

There’s another myth that’s out there about what happens after a breach, and that is that the breach destroys the career of the CISO and the entire security department. And so I’m pleased today to be able to talk about that myth. Frequently, when I bring up breaches and lessons we can learn, people bring up ChoicePoint as the ultimate counterexample. Now, ChoicePoint is interesting for all sorts of reasons, but from a stock price perspective, they’re a statistical outlier. And so I’m extra pleased to be able to discuss today’s lesson with ChoicePoint as our data point.

Last week, former ChoicePoint CISO Rich Baich was [named Wells Fargo’s] first chief information security officer. Congratulations, Rich!

Now, you might accuse me of substituting anecdote for data and analysis, and you’d be sort of right. One data point doesn’t plot a line. But not all science requires plotting a line. Oftentimes, a good experiment shows us things by being impossible under the standard model. Dropping things from the tower of Pisa shows that objects fall at the same speed, regardless of weight.

So Wells Fargo’s announcement is interesting because it provides a data point that invalidates the hypothesis “If you have a breach, your career is over.” Now, some people, less clever than you, dear reader, might try to retreat to a weaker claim “If you have a breach, your career may be over.” Of course, that “may” destroys any predictive value that the claim may have, and in fact, the claim “If [X], your career may be over,” is equally true, and equally useless, and that’s why you’re not going there.

In other words, if a breach always destroys a career, shouldn’t Rich be flipping burgers?

There’s three more variant hypotheses we can talk about:

  • “If you have a breach, your career will require a long period of rehabilitation.” But Rich was leading the “Global Cyber Threat and Vulnerability Management practice” for Deloitte and Touche, which is not exactly a backwater.
  • “If you have a breach, you will be fired for it.” That one is a bit trickier. I’m certainly not going to assert that no one has ever been fired for a breach happening. But it’s also clearly untrue. The weaker version is “if you have a breach, you may be fired for it”, and again, that’s not useful or interesting.
  • “If you have a breach, it will improve your career.” That’s also obviously false, and the weaker version isn’t faslifiable. But perhaps the lessons learned, focus, and publicity around a breach can make it helpful to your career. It’s not obviously dumber than the opposite claims.

So overall, what is useful and interesting is that yet another myth around breaches turns out to be false. So let’s start saying a bit more about what went wrong, and learning more about what’s going wrong.

Finally, again, congratulations and good luck to Rich in his new role!

4 comments on "Your career is over after a breach? Another Myth, Busted!"

  • Kyle Maxwell says:

    I joined Heartland Payment Systems after their breach, and the hypothesis about careers didn’t hold true there, either.

  • John F. says:

    Very insightful post and of course congratulations to Rich! I interviewed with him at Choice Point before the breach. I didn’t make the final cut, but he gave me some career advice that I’m very grateful for since it’s changed a lot for me. The places I’ve been in as a consultant or as a FTE have had no turnover. In most cases it is a lessons learned experience for the client.

  • There’s a nice anecdote (guilty as charged!) about Dave Packard doing a post mortem on a product that had flopped due to an engineering failure. He tells the worried engineering manager “I’m not going to fire you, now that I’ve invested $20 million* in your education.”

    Sunk costs are very real. Keeping someone on the job to fix the mess is probably a lot more cost effective than firing.

    As to the career prospects: someone who has managed to fight an orderly retreat in difficult circumstances may be a lot more valuable than someone who has only seen sunny days.

    *Or other amount that sounded large by the standards of 1956 or so.

  • akb427 says:

    I saw the owner of a helicopter company send the same message as that Packard anecdote, saying he’d retain any pilot of his that crashed a copter and survived.

    The thing is, for people in our (bad at statistics and critical thinking) society, the statement “if you do X, then Y bad thing may happen” is enough to dissuade. To most people, the questions “What’s the cost or downside of not doing X?” and “Just how likely is Y to follow X?” don’t really seem to occur.

Comments are closed.