Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Jason Spaltro, then executive director of information security at Sony Pictures, called it a "valid business decision to accept the risk of a security breach" in a 2007 interview with CIO Magazine, adding he would not invest "$10 million to avoid a possible $1 million loss."

Who even hires these people?



I've been told by someone in the field at a very high level that many are chosen to take the fall when something like this happens.


People who don't know better, who's expertise is in other fields?


This is an exec though! If you're hiring for that position you either:

* know what you're doing with regards to hiring

* don't know what you're doing, and deferring to someone competent to make that hiring decision for you

I know understand why I'm not a CEO.


Alternate proposed requirements:

* an inflated sense of your own value

* competent enough to make other people believe it

Or, as hga proposed:

* be a useful mark to take the fall when it comes


I have seen people promoted to Information Security Officer who did not know the first thing about IT or programming, let alone hacking or things like APTs, server security or the top ten list of exploits.

I believe he was promoted because they wanted him away from his previous job, managing a software development department.


Not sure I follow. Are you saying that it's sane to spend 10x the value of a thing protecting against the loss of that thing?


I think what people are hinting at, but not explicitly saying is the $10M vs. $1M tradeoff between hardening a database and notifying users is a very narrow perspective. They're not weighing the possible monetary losses to their users or possible damage to their reputation.


And that's one of the many things that makes security hard: effectively weighing impacts against remediation costs (even measuring impacts is really hard). It appears Sony did it badly. But I agree with the statement that it doesn't make sense to spend $10m mitigating against a possible $1m loss.


How would you value the loss that Sony has faced here? If you guessed more than $1M, you did better than this guy.


But that's not the question. No-one's suggesting that Sony considered this specific scenario and arrived at loss impact of $1m, are they?

Hindsight is a wonderful thing.

An interesting question is this: You're the CISO of a major Hollywood studio. You have a budget of $xx million. Smart, well-resourced people are determined to destroy your company. What do you do?


Nice try, Scott




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: