Sony Pictures information security team, small as it is, is in the crosshairs of all and sundry after the recent breach of significant proportions. As is typical for information security, once a victim is found the ritual and merciless victim bashing can begin. What most of these pieces forget is that the issues highlighted for Sony Pictures are present if not prevalent in majority of large organisations.
Kick them when they're down
This scenario plays out time and again:
- A large organisation is in the news for industry average information security practices.
- Ex-employees, who are by rule unnamed, come out of the woodwork to provide their expert opinion on how bad information security practice was at their ex-employer.
- For bonus points they say how they have been tolling the bell for umpteen times to get the company to fix their pet security issue.
“Sony’s ‘information security’ team is a complete joke,” one former employee tells us. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it."
NOTE: Data encryption is always considered the silver bullet, especially by those that don't understand information security.
At the same time we get information security "experts" that will tut, rage, shake heads and comment loudly and vehemently how awful Company X is and almost say that they deserve to be hacked for having such poor security.
Behavioural economics is bad for your risk management
But that's not the reason for this post. The reason is Sony's perceived "shockingly cavalier approach to information security". In an interview with CIO magazine in 2006 Jason Spaltro, then Executive Director for Information Security at Sony Pictures Entertainment, finished his hypothetical scenario with a reasonable:
“I will not invest $10 million to avoid a possible $1 million loss.”
More enlightened information security practitioners are typically fans of Daniel Kahneman's and behavioural economics Prospect Theory. Prospect Theory was written as a critique of Expected Utility hypothesis, both of which have an unstated expectation that all information required to make a decision is available. I don't think it's necessary to point out here that there are always uncertainties and missing information. That fact generally doesn't stop people from praising Prospect Theory and pillorying those that actually use it to make decision. For the record: I hold that those that use Prospect Theory in anything but academic study setting should be shown the error of their ways.
For those information security practitioners that really want to use behavioural economics to drive their decisions: you can do much worse than the old (Bounded) Rationality Theory, which at least takes into consideration uncertainty under which decisions are made.
Key takeaway: Prospect Theory and Expected Utility hypothesis back up Spaldro's example: don't spend guaranteed $10m to prevent a chance of a $1m loss. Problem: both PT and EU only work in the world where there is no uncertainty and all outcomes and their probabilities are known.
Information security dogmas
In the CIO article Spaltro comes across as a very rational and pragmatic person. A few choice quotes:
Summing up, the auditor told Spaltro, “If you were a bank, you’d be out of business.”
Frustrated, Spaltro responded, “If a bank was a Hollywood studio, it would be out of business.”
Absolutely true. We always say: know your business. What is required of a financial services institution is typically counterproductive for non-financial services institutions.
And on increasing burden of regulations:
“We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover for everything. So, you make risk-based decisions: What’re the most important things that are absolutely required by law?”
“I sincerely believe that if we left it all up to the auditors to tell us what works, we wouldn’t have a business at the end of the day,” Spaltro says.
In short, the CIO article shows a pragmatic information security professional that understands business and understand information security.
But that doesn't let Spaltro off the hook. He understands that information security must be tailored to the business it tries to protect, and that the only way this can be done is by risk management. Problem is that the risk management approach that has been taken is immature and has been even in 2007.
We are not a bank
That's the sentence I heard at least five times during a short, one hour interview with a large entertainment conglomerate here in Sydney. That's the sentence their IT and information security team is told time and again when they propose new security controls. And not once did they stop to think and say:
"You're absolutely right. We're not a bank, we're a large entertainment organisation and our industry runs on schadenfreude. Our reputation will take a nosedive if we don't keep improving our operational risk management and basic security and staying with the current needs."
That would be what an experienced risk manager would and should say. Anything less is doing disservice to your employer.
Problem with this thinking is that you do not define what your industry is, what its unique requirements for risk management and information security are. Unless you define what you are and what your unique information security needs are you cannot manage your risks to achieve your goals. You will either spend more than necessary or not enough; either option by margin greater than reasonable.
Sony Pictures Entertainment: risk management failure
Sony Pictures' Spaltro clearly is a fan of risk-informed decision making. However, there is good indication that the risk analysis that informed the decisions at Sony Pictures in 2005-2007 (and, by the looks of things continued well into 2014) didn't pass the muster even in 2005, let alone now.
A few glaringly obvious mistakes that are easily discerned from the CIO article:
- Not updating their risk assessment as time went by. Just because something was good enough in 2006 doesn't mean it is good enough half a year later. As context changes so should you review your risk assessment and update it where necessary.
- Not keeping in touch with technology progress. This is clearly part of the context but in this case is far more widespread because it's the linchpin of usability that Sony Pictures security team denied the business operations.
- Not helping their business by using security technologies that make daily chores simpler and securer (password managers, etc.). Know your business - and make it as easy as possible without increasing complexity and reducing security. It can be done.
- Not understanding the business they are in from risk perspective. Yes, you are not a bank; you are in an industry where dog eats dog for breakfast. Reputation is everything, so protect it accordingly. And by all means get the right message to the powers that be. If you can't, hire a PR company to do your internal influencing. You're in entertainment industry, it is almost expected of you to act the part.
- Not doing risk assessment correctly: making decisions by not asking your constituents for their input. They are the ones that will be impacted by your decisions: involve them early, involve them often.
- Not using external subject matter experts (reputation, technology, security, finance, etc.) where and as needed.
Risk management is a very powerful tool, but it needs to be used properly. There are no shortcuts in risk management. Anyone that thinks they can circumvent risk management processes or go for a "lite version" typically gets from risk management just what they've invested. In other words, risk management is world's biggest GIGO processor: garbage in, garbage out.
UPDATE: As Pete Lindstrom pointed out, the post lost its way. The intent was simple: Sony made risk-influenced decisions. They should be applauded for not only doing it, but also advocating it. However, they should be called out for the immature way they have gone about assessing risks.