Back in December 2014 I'd posted on this very blog my initial thoughts on the hack of Sony. Recently I read the excellent Fortune article about the incident and its even more fascinating now that I have additional details. Let's hope that Sony Pictures makes a movie about the whole thing!
Of particular interest to me was something said back in 2007 for an article in CIO magazine by Jason Spaltro, the individual in charge of cyber security at Sony Pictures. He put it bluntly, "I will not invest $10 million to avoid a possible $1 million loss."
As a person who has made numerous proposals to Management, I can empathize. Why spend money on something that hasn't happened? That is a mindset that can only be changed by something happening. Risk management, business continuity and disaster recovery are all part of the same dish. And it generally takes something like a breach or a hurricane to change the mindset of those that control the purse strings.
In my professional life, I've had the same conversation again & again with Management. Why am I going to spend this money if nothing has happened? Or better yet, even after it happens, I'm told that it won't happen again.
So how does one overcome the objections to spend money on Risk Management? Be both prepared and a little bit sneaky.
When I say be prepared, that means having proposals that address Risk Management "on deck" (think in terms of an F-18 Hornet ready to launch on the deck of a carrier, all the pilot is waiting for is the Go sign). Note those areas within the organization that have been identified as weak and in need of remediation. You might not be able to sell Management on all of them but there can be some low hanging fruits that are reachable. Have proposals ready.
The other part is to be a little bit sneaky. What does that mean? Well, as part of the budgeting process you might be able to add certain items related to Risk Management as part of your annual capital expenditures; think in terms of something being dual-use. Hey, we need to upgrade this and in the process we'll add this feature (i.e., a control), that enhances the system and oh by the way also helps us achieve compliance with SOX, HIPAA or whatever other regulations might exist (there are lots of them). And after the controls are in place it'll be more hassle than not to remove them - better to ask forgiveness than beg for permission.