Just about a year ago, most of us were learning about the Target data breach. It had been discovered just before Christmas at the height of the holiday shopping season, and its scope was slowly revealed to the public over the subsequent months. During that time Target’s stock price suffered significantly (the firm lost $3.2B of market value between December ’13 and February ‘14) and CEO Gregg Steinhafel, a 35 year veteran of the firm, resigned.
Since then, Target has become a byword for data breach. Even as dozens of other firms enter the fray and admit that they, too, have lost staggering amounts of consumer data, Target still looms large in consumers’ minds. It certainly wasn’t the first major breach; plenty of firms (Sony being one) have experienced large incidents before. Perhaps it was the timing of the breach, or the fact that it was the first one that seemed so closely tied to the departure of a chief executive. Whatever the reason, Target was the breach that made everybody sit up and take notice.
Those in the cybersecurity world were, in a sense, relieved at this development. At last, the public’s attention had been turned to what is undoubtedly one of the greatest national security issues of our time. Finally, we could bring this topic out into the light of day and treat it properly, as a community threat. The Target breach, although it caused significant damage, led us into an era that could help the many.
Or so we thought. Since February 2014, when the full extent of the Target breach was divulged, a peculiar thing has happened. Data breach and info security have become mundane and unremarkable – we are no longer surprised by or concerned with a major breach. Less than 1 year later, dozens of high-profile breaches left the public numb to the phenomenon. Consider the recent Sony Pictures hack… characterized initially as a state actor with terrorist intent, this breach was an absolutely unprecedented event. Yet, 6 weeks later it has all but disappeared from the news.
Before Target, it may have been said that the general population suffered from breach apathy. We must now face the possibility that breach apathy has given way to breach fatigue.
It will be hard to know which is worse without living through them both. Was the public apathy that preceded the Target breach responsible for negligence that enabled the bad guys? Or will post-Sony fatigue lead to ever-more careless behavior on the part of employees? It’s possible that it doesn’t matter. Because both sets of problems are rooted in the same malfunction: effective security must begin at the board level, and flow all the way through an organization. Anything less than strategic, long-term oversight will result in vulnerable operations and more breaches.
In simple terms this means that the security community must to focus on bringing their work into the boardroom. This means making the business case for security investments – assigning a value to assets that is risk-rated and justifies a proposed investment in technology. It also means that the management community must seek out the technologists, and help them build these business cases – help them understand not just the tactical concerns, but the strategic basis for their work.
When the executives and technologists can meet on common ground and discuss security as it relates to business strategy, then we will begin to see progress against breach apathy, and breach fatigue. When we recognize that security is truly a community effort, there is no longer any excuse to ignore the problem.