Data Breach Cynicism Takes Hold

Published
November 14, 2022

2 min read

Sean Steele is co-founder and managing
partner at Infolock.

In This Article

Join Our Newsletter

Follow Us

Tags

In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies build and mature their security programs. With some notable exceptions, when my team comes in to help out, these programs range from ineffective to completely nonexistent.

In many cases, there are too few security personnel trying to do too much with too little support (and money). My guess is that might have been the case at companies like Marriott, MGM Grand, Twitter, and Nintendo in the past year; not enough guards standing outside some of the world’s greatest treasure rooms of personal information and identity data.

If I’m being honest with myself, the only surprising aspect of these data breaches is that they weren’t worse. When it comes to U.S. consumers’ sensitive data, and breaches of that data, there are three main forces at play:

  1. Corporate America is ignoring its security obligations
  2. The federal government is unable to legislate regulatory protections for consumer data or to enforce existing regulations
  3. Consumers are not punishing corporations who lose their sensitive information

In the past decade, corporate America has made little progress toward better security:

  • Security managers still report to technology executives, who view security as costly, disruptive, and less critical than operations
  • Hackers are still the focus – not the data itself, nor the people managing it
  • Senior executives are unaware of security risks or unwilling to take action
  • Security budgets aren’t focused on training or supporting security personnel
  • There’s little or no long-term strategic planning for security

The security landscape in regulated industries is cloudy in part because federal, state, and industry regulations don’t actually protect or secure sensitive data. And, they conflict with one another. What enforcement does occur for these regulations is largely symbolic.

Regulators and regulated companies continue to share a “checkbox” mentality about security – one that doesn’t examine the veracity, efficiency, completeness, or resilience of security controls. Said another way, it’s great you’ve got an encryption solution purchased – but have you deployed it to any laptops? Can you detail what sensitive data is on those encrypted laptops?

Compliance does not equal security, much like having a gym membership doesn’t mean you’re more fit.

The hard questions companies should be asking about their data aren’t contemplated by existing security frameworks: how to classify data, whether it needs to be stored, how long it should be kept, who should have access, how it’s backed up and archived, whether and how it’s encrypted, where it goes both in-network and in the Cloud, etc. Often the answers to these questions don’t exist because organizations don’t know where to start.

Meanwhile, consumers are enabling politicians and corporations to continue this quiet catastrophe of data breaches. TJX, the parent company of retailer T.J. Maxx, is responsible for one of the largest credit card data breach on record.

In 2007, between 45 and 94 million credit card numbers were stolen from T.J. Maxx. It cost them roughly a quarter of a billion dollars in breach-related spending to set things right, but their stock price never really suffered over the past decade:

TJX has grown to be one of the largest and most profitable retailers in the world, ranked #87 on the Fortune 500 list with revenues in excess of $33 billion.

The same story has played out with other retailers (Home Depot, Target), healthcare players (Anthem, Magellan, Tricare), tech giants (Yahoo!, EBay), media companies (Sony Pictures Entertainment), and financial services firms (JPMorgan Chase, Heartland Payment Systems, Citibank) who emerged basically unscathed from spectacular consumer data breaches.

I’m deeply cynical about data breaches and the organizations who “suffer” them. For many (if not most), it has been cheaper to ignore, underspend, and underdeliver on security protections, hoping they don’t get compromised and don’t have to publicly disclose such failures — than to proactively build defenses and resiliency.

I expect more and larger data breaches in the coming years. Whatever pretense of data privacy American consumers have insisted on, with regard to their personal identities, finances, and activities, is long gone and never to return.

Instead of playing (and losing) an arms-race game with hackers and cyber-criminals, we should be pulling back, focused on the sensitive data assets that our businesses, economies, and lives depend on. Otherwise, we’re just doing the same old things and expecting different results.

I hold out hope that individual companies can move the needle toward more mature security programs — placing information governance and data protection at the heart of their efforts.

Related Posts

Flip The Script: Let The Attackers “Win”
What does it look like when organizations do their data security and risk management homework upfront,

2 min read

April 5, 2023

Cybersecurity Is Dead — What Now?
We must stop insisting cybersecurity can "win" the war against cybercriminals, because we've already lost.

2 min read

March 10, 2023

4 In 4: 4 Insights From My First 4 Months At Infolock
After four months on the job at Infolock, I want to let prospective customers and employees know.

2 min read

April 7, 2021

Challenge The Status Quo
Quick fix technology solutions aren't a substaitute for hard work and careful planning.

2 min read

January 16, 2023

Data Breach Cynicism Takes Hold
In more than 20 years of working in the IT security industry, I’ve helped literally hundreds of companies

2 min read

November 14, 2022

Ciso, We Have A Problem
Since 2001, I’ve worked with hundreds – even thousands – of infosec practitioners: analysts, engineers, technicians,

2 min read

August 17, 2022

It’s The Data, Stupid!
Data is notoriously messy. It’s clear most organizations have lost control of it – or, never had control of it in the first place.

2 min read

June 26, 2022

Peak Vendor: Reclaiming Infosec Priorities And Budgets In The Age Of Big Marketing
I’m not sure when the bubble began. Three years ago? Five? Security needs

2 min read

May 3, 2023

Banishing The Backseat Drivers
If you’re in security, you know how

2 min read

March 30, 2022

Vendors Know You Too Well
Could you imagine walking into a car dealership without:

2 min read

January 15, 2022