Following their discussion yesterday on managing a security team and infrastructure on a shoestring, the second part of the discussion focused more on the spending by Sony Pictures.
Inspired by the story that Sony Pictures plans to spend $15 million on better cyber security after major attacks hit it in both 2011 and 2014, where attackers made off with personal details in both attacks, I tasked two security professionals to discuss this.
After the conversation began on Twitter, I passed the discussion over to Coalfire European managing director Andrew Barratt and Gary Smith, a senior security professional within financial services. Barratt initially pointed out that the $15M equates to $109 per person. So the question is do you focus on securing the company as one entity or average spending per employee?
Barratt said: “I find it helpful to sanity check these sorts of numbers, as whilst $15m sounds like a big number, when put in context it can often play out to be insignificant and show the opposite intentions.
“Large global companies now rarely secure the whole enterprise as a block, different business units in different territories will have very different security requirements as well as local laws and compliance regimes to adhere too, this is before the different types of data they may use is considered.”
Barratt pointed at some key facts from the Sony incident as an example to help understand a large companies board response:
- Revenues for The Interview were higher than expected ($40m from on-demand), particularly after a fairly flat critical response AND the film being stolen and made available online. Mass amounts of PR and speculation around the breach could be attributed to causing higher awareness and then sales.
- Major movie stars didn’t start threatening to sue them despite comments/emails that appeared to be quite damaging. Whilst privately the reputation of Sony might be diminished – we’ve seen a ‘don’t bite the hand that feeds’ moment, perhaps really showing how powerful Sony’s reputation is to these people. With potential paychecks of $10M+ for doing a film, I suspect the talent will turn a blind eye to rude commentary from film execs.
- Major losses from prior year – 40 billion yen ($337m) – leading to restructuring and an exit from the PC business. This alone makes a $15m ‘loss’ from a cyber-event seem pretty insignificant. If $15m is the attributed loss to the cyber event – that’s a mere 4.5 per cent of PC business losses, and will get a proportionally lower amount of C level exec time.
Barratt said: “If Sony spend $15M extra, let’s work on the basis it is extra and give them some assumed current base of technology and staffing. This equates to about $109 per person across the whole Sony group. Sony have 140,000 people worldwide. Whilst we often hear about the security challenges faced by small businesses and lack of skills or budget – large companies have similar problems.
“Imagine being the CISO at a company where a $15m loss isn’t considered material – does that reduce the need for your security programme? Or do you have to change scale at which you operate and just accept losses in line with the board appetite. How do you react when the loss of perceived valuable data or intellectual property seems to increase revenue, and the loss of sensitive emails doesn’t do massive harm reputation?
“These are complex questions larger companies with hugely diverse businesses face. For a large global business, a decision to sell one product or not can be massively more damaging or rewarding than a single cyber event. If it is $15m for just the Sony Entertainment business unit, will that support the PSN business, the hardware business or will there be different rules for different parts of Sony.”
He said that the other reason to think of it as a per person cost is that the typical successful entry points usually leverages the endpoints which are attacked. “So if we had to spend $100 for everyone, surely we’d allocate some of that (even if it is delivered internally) to awareness training and use the rest as a pool for a combination of additional staff and tech,” he said.
Smith said that one of the main issues with this particular breach is that it almost seems to have an inverse effect on Sony. “The Interview stank up the place as a movie, and made way more revenue than it probably would have otherwise,” he said.
“As Andrew also points out, this is insignificant in the wider context of other losses elsewhere (and arguable are offset by the gains on The Interview revenue). They’ve also rode out the previous PSN hack which had a negligible impact on the share price. At this stage, I’m not surprised that the board aren’t jumping up and down.”
Barratt suspected that the $15M is more of a token gesture, as some of the large breach investigations in the USA have cost over a $1M in forensics alone.
Smith said: “The other aspect to this is that the $15M is pitched as an increase to an unknown figure. That could translate to a notional increase on an already large budget that could be rationalised after the fact based on known issues from the previous two breaches. Why am I spending $Xm on <tool X> when it doesn’t appear to make a material difference to whether I’m hacked or not?”
It seems that one company’s $15M budget is another’s lifetime budget, and how it has come to land in the lap of the security team is in fairly extraordinary circumstances. Thanks to Andrew and Gary for their time in this discussion.