Comments on: Holding a Lighted Brand up to Damage http://emergentchaos.com/archives/2007/03/holding-a-lighted-brand-up-to-damage.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Nick http://emergentchaos.com/archives/2007/03/holding-a-lighted-brand-up-to-damage.html/comment-page-1#comment-3439 Nick Wed, 28 Mar 2007 16:45:10 +0000 http://emergentchaos.com/?p=2287#comment-3439 Mordaxus: No apologies necessary! I think this is becoming a conversation best had in person (with beer, needless to say), like an email conversation that gets too long. I see what you're saying about connotations of words like "competence". But I guess for me it has a b-school connotation of "Core competence". As an investor, I would expect a data broker to have IT security as a core competence as I would expect a Wal-Mart to have IT logistics as a core competence. Everyone gets "rooted" but they don't always disclose personal non-public information - and "breached" to me connotes lost PPI, which is part of Tim's original post on brand damage. Your post indicates that I should not use words like "incompetence" or people will stop disclosing breaches. My post was about how an investor would value a stock that suffered a breach. Perhaps I should have been more clear that I meant "to an investor a breach is an indicator of a lack of competence and they must evaluate factor in their estimate of the stock's value". (Many probably also think about how a breach will impact other investor's estimates of the stock's value. Perhaps that helps explain Allan's TWX gif.) I see what you mean by my choice of words has the potential of stigmatizing breach disclosure, but I also happen to think that it is how investors think and thus is fair game for discussion vis-a-vis the impact of breaches on stock price (nee brand damage). You are thinking that it is bad to stigmatize breaches. I am trying to understand how breaches stigmatize (specifically a share price). Mordaxus:
No apologies necessary! I think this is becoming a conversation best had in person (with beer, needless to say), like an email conversation that gets too long. I see what you’re saying about connotations of words like “competence”. But I guess for me it has a b-school connotation of “Core competence”. As an investor, I would expect a data broker to have IT security as a core competence as I would expect a Wal-Mart to have IT logistics as a core competence.
Everyone gets “rooted” but they don’t always disclose personal non-public information – and “breached” to me connotes lost PPI, which is part of Tim’s original post on brand damage.
Your post indicates that I should not use words like “incompetence” or people will stop disclosing breaches. My post was about how an investor would value a stock that suffered a breach. Perhaps I should have been more clear that I meant “to an investor a breach is an indicator of a lack of competence and they must evaluate factor in their estimate of the stock’s value”. (Many probably also think about how a breach will impact other investor’s estimates of the stock’s value. Perhaps that helps explain Allan’s TWX gif.)
I see what you mean by my choice of words has the potential of stigmatizing breach disclosure, but I also happen to think that it is how investors think and thus is fair game for discussion vis-a-vis the impact of breaches on stock price (nee brand damage). You are thinking that it is bad to stigmatize breaches. I am trying to understand how breaches stigmatize (specifically a share price).

]]> By: Mordaxus http://emergentchaos.com/archives/2007/03/holding-a-lighted-brand-up-to-damage.html/comment-page-1#comment-3438 Mordaxus Wed, 28 Mar 2007 15:14:10 +0000 http://emergentchaos.com/?p=2287#comment-3438 <p>Nick, forgive me, btu I think that "lack of competence" and "incompetence" is a difference without distinction. I'm no particular fanboy of the law of the excluded middle, but if you sayd, "Mordaxus, I didn't say you are <b>incompetent</b>, I just think you have a <b>lack</b> of competence" I wouldn't say, "Oh, that's all right, then. Sorry I took offense." <p>The point you are making -- that if there is one breach there may be others -- has merit in a vacuum, and I don't disagree. However, stigmatizing bad news has consequences and those consequences are not good for society. It creates value for hiding bad news. We need to create value for bringing good news out. <p>In addition, I think you're being naïve. Everyone gets rooted eventually. Yes, being rooted is bad. But no matter how good you are, someday you'll not patch that PHP server in time, or someone will launch a targeted attack against you. It's going to happen. <p>Consequently, very low rates of reported breaches are as bad as high rates. High rates may say something bad about competence, or it may say something good about detection and response. Low rates may say something good about prevention, or it may say the organization is organically or willfully blind. </p></p></p></p> Nick, forgive me, btu I think that “lack of competence” and “incompetence” is a difference without distinction. I’m no particular fanboy of the law of the excluded middle, but if you sayd, “Mordaxus, I didn’t say you are incompetent, I just think you have a lack of competence” I wouldn’t say, “Oh, that’s all right, then. Sorry I took offense.”

The point you are making — that if there is one breach there may be others — has merit in a vacuum, and I don’t disagree. However, stigmatizing bad news has consequences and those consequences are not good for society. It creates value for hiding bad news. We need to create value for bringing good news out.

In addition, I think you’re being naïve. Everyone gets rooted eventually. Yes, being rooted is bad. But no matter how good you are, someday you’ll not patch that PHP server in time, or someone will launch a targeted attack against you. It’s going to happen.

Consequently, very low rates of reported breaches are as bad as high rates. High rates may say something bad about competence, or it may say something good about detection and response. Low rates may say something good about prevention, or it may say the organization is organically or willfully blind.

]]> By: Mordaxus http://emergentchaos.com/archives/2007/03/holding-a-lighted-brand-up-to-damage.html/comment-page-1#comment-3437 Mordaxus Wed, 28 Mar 2007 14:51:03 +0000 http://emergentchaos.com/?p=2287#comment-3437 Adam, I think security issues need to be a form of public health issue. Nice people get cancer. Nice people get heart attacks. Nice people get STDs. Nice people also have their airliners occasionally fall out of the sky, too. While there is pleasure to name-and-blame, it is not a pleasure that makes the world a better place -- kinda like smoking. Adam, I think security issues need to be a form of public health issue. Nice people get cancer. Nice people get heart attacks. Nice people get STDs. Nice people also have their airliners occasionally fall out of the sky, too. While there is pleasure to name-and-blame, it is not a pleasure that makes the world a better place — kinda like smoking.

]]> By: Nick http://emergentchaos.com/archives/2007/03/holding-a-lighted-brand-up-to-damage.html/comment-page-1#comment-3436 Nick Wed, 28 Mar 2007 13:36:47 +0000 http://emergentchaos.com/?p=2287#comment-3436 To be clear: I said that breaches are sign of <b>lack of competence</b> not incompentence. And there is a difference in this context. I should also be clear: I'm not talking about brand damage - I would not have the competence to measure that. I'm talking about stock price and company value. My post should also be taken in context of my post on frequency of breaches: <a href="http://www.wikidsystems.com/WiKIDBlog/where-are-you-on-the-normal-curve-of-information-security." rel="nofollow"><a href="http://www.wikidsystems.com/WiKIDBlog/where-are-you-on-the-normal-curve-of-information-security." rel="nofollow">http://www.wikidsystems.com/WiKIDBlog/where-are-you-on-the-normal-curve-of-information-security.</a></a> My point is this: If there is one breach, there likely have been or will be more. As an investor I would say, "these guys can hang on to their data very well." Then I would ask: "Does it matter?" If they are a retailer, I suspect not. If they are a data broker, I suspect yes. If the company handles it well, I will add back points for a good recovery. I might think: "They may have a lack of competence in information security, but they understand PR and marketing and that is what matters in their market". I also don't see how my post rewards the mendacious. The mendacious are rewarded when they aren't caught. The potential embarrassment existed before my barely-read post. Embarrassment is no longer the driver in breach disclosure. It used to be that if a breach was discovered and not disclosed the result was more embarrassment. Now it is (in most instances) against the law. Top management needs no knowledge of IT and information security for a company to be competent in IT and information security. They need only to hire well, manage well, etc. I like Ian's point, though. I would interpret it thusly: Don't worry too much about security, but be ready with a PR/spin plan when you're breached. There might be an agency issue in that the plan might call for some people to be sacked and you don't know where that might stop. To be clear: I said that breaches are sign of lack of competence not incompentence. And there is a difference in this context. I should also be clear: I’m not talking about brand damage – I would not have the competence to measure that. I’m talking about stock price and company value. My post should also be taken in context of my post on frequency of breaches: http://www.wikidsystems.com/WiKIDBlog/where-are-you-on-the-normal-curve-of-information-security.
My point is this: If there is one breach, there likely have been or will be more. As an investor I would say, “these guys can hang on to their data very well.” Then I would ask: “Does it matter?” If they are a retailer, I suspect not. If they are a data broker, I suspect yes. If the company handles it well, I will add back points for a good recovery. I might think: “They may have a lack of competence in information security, but they understand PR and marketing and that is what matters in their market”.
I also don’t see how my post rewards the mendacious. The mendacious are rewarded when they aren’t caught. The potential embarrassment existed before my barely-read post. Embarrassment is no longer the driver in breach disclosure. It used to be that if a breach was discovered and not disclosed the result was more embarrassment. Now it is (in most instances) against the law.
Top management needs no knowledge of IT and information security for a company to be competent in IT and information security. They need only to hire well, manage well, etc.
I like Ian’s point, though. I would interpret it thusly: Don’t worry too much about security, but be ready with a PR/spin plan when you’re breached. There might be an agency issue in that the plan might call for some people to be sacked and you don’t know where that might stop.

]]> By: Adam http://emergentchaos.com/archives/2007/03/holding-a-lighted-brand-up-to-damage.html/comment-page-1#comment-3435 Adam Wed, 28 Mar 2007 11:10:52 +0000 http://emergentchaos.com/?p=2287#comment-3435 Great post! Nick's post, unfortunately, drives the embarrassment side of the story, and I hate that. Embarrassment bad. People work to avoid embarrassment. They dont give me data points. Not having data points makes me sad. Great post! Nick’s post, unfortunately, drives the embarrassment side of the story, and I hate that. Embarrassment bad. People work to avoid embarrassment. They dont give me data points. Not having data points makes me sad.

]]> By: Iang (on why you should ignore security!) http://emergentchaos.com/archives/2007/03/holding-a-lighted-brand-up-to-damage.html/comment-page-1#comment-3434 Iang (on why you should ignore security!) Wed, 28 Mar 2007 04:32:09 +0000 http://emergentchaos.com/?p=2287#comment-3434 Note well Allan F's comments about the difficulty of measuring the price effect. This makes sense if you consider that security is a small part of the most businesses, and it is risk after all, so we expect a few breaches. Management aren't incompetent, but they are probably ignorant. If you are lucky, management has an MBA, and if he or she was lucky, that included 1 or 2 lectures on <i>the entirety of IT</i>. In a market where security (whatever that is) cannot make a lot of difference to the bottom line, management are best off ignoring it. You have a choice as a manager: listen to some salesman who is talking nonsense, and has no better strategy than to try to force you to CYA with some accusations of incompetence, or wait for the breach, which will give you hard data on just what you need to do. Which looks cheaper? Note well Allan F’s comments about the difficulty of measuring the price effect. This makes sense if you consider that security is a small part of the most businesses, and it is risk after all, so we expect a few breaches.
Management aren’t incompetent, but they are probably ignorant. If you are lucky, management has an MBA, and if he or she was lucky, that included 1 or 2 lectures on the entirety of IT. In a market where security (whatever that is) cannot make a lot of difference to the bottom line, management are best off ignoring it.
You have a choice as a manager: listen to some salesman who is talking nonsense, and has no better strategy than to try to force you to CYA with some accusations of incompetence, or wait for the breach, which will give you hard data on just what you need to do.
Which looks cheaper?

]]>