Of course it matters if you are a government agency involved in delicate matters of state. It matters if you are a network terrorist group such as al Qaeda. On an individual level we want security in our lives. We know that violent crime exists and we can become victims of it. We are willing to pay for door locks, location of where we live, and security systems to help ensure our lives are as secure without giving up our individual freedoms.
During 2003 to 2005 hacker had access to TJX computer systems. This hack the biggest computer break-in in commerce history. The computer break-in did not depend on online transactions and it was not only one computer system at TJX that was vulnerable but several. From storing credit card information to customer driver’s license information stored when a merchandise transaction was done. Customers standing in front of the cashier not online transactions created all of this information.
To be fair to TJX it was the victim of a horrendous crime. Subsequent analysis of what TJX was doing it was found that TJX was not in complaint with all PCI rules but TJX was working towards meeting all of the PCI rules at the time it was hacked.
Ok let’s get back to our original question; “Does Security Matter?”
Under TJX settlement agreement, TJX has agreed to fund up to $40.9 million for customers affected by the data breach. TJX has reported in SEC fillings that it has had to absorb $118 million charge related to its massive security breach.
Looking at other financial indicators for TJX;
· 15 consecutive years of annual comp sales increase.
· Comps outperformed retail index 8 of last 10 years.
· Increase in Profit Margins (FY06-FY11) except FY09.
· 15 consecutive years of dividend growth.
Sony’s recent data breach involving its online videogame services has cost it more than 1.25 billion from lost of business. Sony may never recover all of it’s lost online business.
In both cases the businesses and customers were impacted by security. So yes security does matter.
Today the leading reason for companies to move to secure coding is compliance to governmental and industry regulations not for other aoristic reasons. If you have to tell your CIO or CEO a data breach occurred where private details of 45 million customers was violated then I think you answer is yes security matters. If you are the corporate security officer then security matters but you have to relate to the CIO and CEO that security is not foolproof. If you are the CEO, CFO and CIO is security important or getting out the next product release or new functionality to further your goals important or can you afford both?
I cannot talk for TJ MAX or Sony nor do I talk for any other organization but security does matter for me. In this is blog we are going to talk about security and current issues. We are going to focus on Privacy, Cloud security, NIST 800 series publications and other topics. Please join me while we investigate these topics.