Our pal Eddie Schwartz was named CSO of RSA earlier this week, presumably with a big role at the mothership (EMC) as well. The Tweeter exploded with congratulations, as well as cautions about the difficulty of the job, given the various shoes that will inevitably continue to drop resulting from the April breach. Believe you me, Lockheed and L-3 are the tip of the iceberg.
Also think about Sony, which has been subjected to an ongoing hacker mauling the likes of which we had not seen before. The sad tale is being documented in real time at attrition.org. Crap, they even made owning Sony a verb (sownage). That’s never good. Sony recently named a fellow to fix it, and he faces the same challenge as Eddie. How do you drive consistent awareness and behavioral change to protect information in an organization of tens of thousands of people?
You had better have a plan, and not a short-term one. There are no quick fixes for a situation like this.
Why can’t Sony and EMC just write a few checks and fix it? Wouldn’t that be nice? But as my stepfather says, “If it’s a problem you can solve with money, it’s not a problem.” Guess what? This is a problem. Shrdlu’s recent missive really illuminates the difficulties in getting everyone to march to exactly the same drum. As she says, it takes a long time (think years, not months) to effect that level of change.
As if that were the only issue facing these guys, the situation would be manageable. Sort of. Unfortunately it’s not that simple, because we live in a short-term world and both of them need to play find the turd, – I mean, perform a risk assessment, to understand where the other soft targets reside. Then they need to monitor those resources and watch carefully for signs of attack. Like sharks smelling blood, it won’t take long before the next wave of hungry attackers surround the wagons, as is happening now with Sony. That’s the short term plan.
But we all know the short term has a funny way of consuming all the resources, forever. You know, life is a series of short-term fires which need to be dealt with. Long-term plans never mature (and often aren’t even made). This is what separates the organizations which recover from breaches from those which don’t. So the art is to pay attention to the short term without losing sight of long-term goals.
Yeah, easier said than done. Sony, RSA/EMC, Epsilon, Lockheed, and all the other organizations showing up in the 24/7 media cycle have a great opportunity to capitalize on their short-term pain to implement long-term structural changes. Will they do it? I have no idea, but we’ll know soon enough by keeping an eye on the front pages. The media is good like that.