Should companies spend to avoid breaches??
I was shocked by the blog posted September 4 by Robert Westervelt of search security.com and re-forwarded today to subscribers of “SecurityBytes Roundup” concerning the aftermath of the TJX credit card breach. As readers of this blog will no doubt recall TJX experienced a breach in early 2007 that exposed over 45 million credit cards and the company has been busy cleaning up after the mess ever since then. Now, 2 1/2 years later, after a 42% decline in stock price (in 2008), Westervelt sees TJX financial performance as an indicator that spending for advanced information security tools is apparently unjustified.
His reasoning is that TJX is a leader in retail and would have been a leader anyway regardless of the breach. TJX’s results for the first six months of 2009 indicate above average year-over-year performance versus other entrants in the industry. This is post hoc ergo propter hoc reasoning. Just because TJX’s financial performance came after their data breach, Westervelt reasons, the data breach must have caused the above average 2009 performance. Aside from the obvious conclusion that one should not ask Westervelt for stock picks, he has conveniently glossed over two major points that completely invalidate the reasoning: 1) TJX has spent tens of millions in documented fines penalties and damages as a result of the data breach that it would not have had to spend had it merely installed and run adequate security in the first place. 2) TJX has spent a significant sum since the breach to repair the inadequate controls and bring its infrastructure up to minimum PCI DSS requirements, if not exceed them.
At the end of the blog post, Westervelt says “it’s difficult to say that companies should spend millions on new technology to defend their data” while he allows that implementing defense in depth controls might still be a good idea. This conclusion is kind of like saying skip the air bags because my antilock brakes will protect me. Meanwhile I plan to drive faster anyway. In other words, there’s absolutely no basis for coming to Westervelt’s conclusion.
Although Monday morning quarterbacking has become all the rage of late after the recent economic chaos, I will offer my own version of what happened to TJX stock since the breach in 2007. TJX got caught quite literally with their pants down with some of the weakest wireless security protecting some of the most sensitive data they handle in many if not all of their stores. They paid a significant price for that mistake. I would argue considerably more than had they decided proactively to become compliant and maybe even exceed PCI DSS minimum requirements. In other words, had TJX taken the tens of millions that they have now spent in breach-caused fines, penalties and damages and in 2006 devoted those funds to secure infrastructure they would have avoided the breach and would be much better off financially today. One could argue that their monthly performance in 2008 was a direct result of further customer desertion so as not to expose their credit cards in the belief that TJX’s security was still a problem. I don’t know this to be the case, but it’s just as likely to be true as the conclusion that Westervelt draws that companies waste money when they invest in high-quality security infrastructure. Furthermore, my version goes, the results from 2009 are incrementally better than the field in retail due primarily to the extremely poor results TJX showed in the year-earlier period. One might even go out on a limb and argue that TJX did better in 2009 because their customers became aware of the substantial investments in security that had been made within the infrastructure that now protect them. So: customers saw better security and they came back to TJX. Now this may be a fanciful view of the facts as we have them, but it’s just as likely to be accurate as the Westervelt perspective.
Stock price is essentially the present value of future earnings. One could easily say that had TJX not had their breach not only would their 2008 have been better but 2009 would have established them as the industry leader in retail where no doubt their top management believes they should be. The notion that retailers cannot justify expenditures on state-of-the-art security infrastructure in order to come up to minimum compliance requirements is simply ludicrous. Other than the obvious avoidance of lawsuits and fines, spending money on better security often produces excellent results in other parts of the IT infrastructure. Although most security product vendors can’t sell this concept any better than they can sell hardware and software, it’s still true and most CISOs would agree with this assertion.
Hope is not a strategy and hoping you won’t get caught ignoring security isn’t a good idea either. Let’s get compliant with the very reasonable standards that are out there and stop looking for some “get out of jail free card” that will immunize us when we get caught doing the wrong thing.