Planning for Failure
This week in my Information Security Management class we discussed planning for security. Of course the discussion in the course was about planning for success. Unfortunately, a lot of the real world discussions I’ve had and articles I have read this week have shown more clearly how people and corporations are failing because of their planning. I am sure they are not planning to fail, but their actions and poor planning skills have been leading to their demise.
My interest in this issue was piqued while reading about the recent problems that Sony Pictures Entertainment (SPE) is facing. Their difficulties stem from corporate planning. Unfortunately for them the planning was of the wrong kind. In an effort to reallocate company resources, many articles claim that they were on a mission to save money by cutting staff. This money saving planning extended to their IT compliance and security department. They did everything they could to save money and cut corners, including having a policy of “just enough compliance.” This resulted in a breach of SPE’s privately identifiable information (PII) at an estimated damage rate of upwards of 47,000 employee records.
In addition to budget cuts to their IT Security programs they laid off a number of employees in the last year. Sony is not alone in this practice. There is an epidemic in the corporate world of layoffs, benefit cuts, and even employee demotions. This, in addition to the cutting of the IT Security budgets, has created a perfect storm, and I think SPE is just the first of many victims. Due to the nature of this breach it is fairly evident that there was help from a trusted insider. Some estimates are saying that this breach will cost SPE over $100 million, and that is not counting the personal cost to employees whose information was captured. Had SPE focused on maintaining a functioning IT Security department, this breach could have been avoided entirely, saving the company far more than the money they will lose because of this attack. Proper planning could have saved them their reputation.
It is time to stop planning for the right now and start planning strategically for the future. It is time to focus less on the bottom line and more on preemptive planning to maintain a secure front and protect the information that is the lifeblood of any company.