Read on Twitter
Thinking today about one of the lessons I learned from futurist @heathervescent: you may be pretty sure something is going to happen, but you don't know WHEN.
Did we know some kind of pandemic was going to happen sooner or later? Yes.
Did we know some kind of major third-party breach was going to happen? Yes.
But risk management is the scary art of trying to time your preparation for JUST before you need it, because prep costs time and money and people. Sometimes you get it right, and sometimes you get it wrong.
Someone asked me the other day (about the breach), "Did we bring this on ourselves?" I can't say that we have. What would we have done differently, and how much would it have cost? How could we have sold it to management?
Because even though management may agree with you on the potential impact of a breach, they will generally disagree with you on the likelihood (and more importantly, the timing). Unless you can convince them that it's IMMINENT, they will defer it.
And that's just normal business risk management. Don't spend money until you really need to.
If a security program costs you $1 million per year to run, and you forego it, but get breached in the second year to the tune of $500k, guess what? You came out ahead! You saved $1.5m.
Most security pros don't understand this logic unless they have run a business themselves. It's why new startups don't run out to hire an expensive CISO. Don't spend anything you don't absolutely need to.
If you're smart and lucky, you add security controls and processes as you grow, right before you need them. If not, you wait until the probability reaches 1 (that is, you actually have a breach).
This is what I call "cheeseburger risk management": you decide you're going to eat cheeseburgers until your first heart attack, and THEN you'll stop. It's more common than you think.
