> Jason Spaltro, then executive director of information security at Sony Pictures, called it a "valid business decision to accept the risk of a security breach" in a 2007 interview with CIO Magazine, adding he would not invest "$10 million to avoid a possible $1 million loss."
I have seen people promoted to Information Security Officer who did not know the first thing about IT or programming, let alone hacking or things like APTs, server security or the top ten list of exploits.
I believe he was promoted because they wanted him away from his previous job, managing a software development department.
I think what people are hinting at, but not explicitly saying is the $10M vs. $1M tradeoff between hardening a database and notifying users is a very narrow perspective. They're not weighing the possible monetary losses to their users or possible damage to their reputation.
And that's one of the many things that makes security hard: effectively weighing impacts against remediation costs (even measuring impacts is really hard). It appears Sony did it badly. But I agree with the statement that it doesn't make sense to spend $10m mitigating against a possible $1m loss.
But that's not the question. No-one's suggesting that Sony considered this specific scenario and arrived at loss impact of $1m, are they?
Hindsight is a wonderful thing.
An interesting question is this: You're the CISO of a major Hollywood studio. You have a budget of $xx million. Smart, well-resourced people are determined to destroy your company. What do you do?
Who even hires these people?