As disturbing as the breach of some 500 million Yahoo customer accounts might be, most IT security professionals know that there but for the grace of Providence go they.
While it’s difficult to say with any absolute certainty that things might have turned out differently, one of the major revelations in the wake of this breach is the tension that existed between Yahoo senior managers and the company’s IT security professionals over the amount of money being spent on IT security. Even in the best of times, business leaders are reluctant to increase spending year over year by more than a few percentage points. If the IT security budget is small to begin with, a five percent increase in spending from one year to the next is not likely to make much of a difference.
The IT security situation tends to deteriorate even further when companies are financially troubled. There’s a lot of pressure to keep a lid on spending if not outright decrease it. Competition for a limited amount of budget dollars often means that IT security doesn’t get the level of priority it should.
In the case of Yahoo, the recent breach disclosures are nothing less than a business nightmare. Now in the middle of a complex $5 billion acquisition initiated by Verizon, shareholders, regulators and lawmakers alike are now demanding to know who at Yahoo knew exactly what when. In addition, now that Verizon has dispatched its own vaunted IT security team to clean up the mess, the telecommunications giant is already incurring IT security costs even before the deal actually closes. Add in the damage to the corporate brand along with potential fines and there’s a real case to be made for invoking bad faith clauses that could either force a deal like the Yahoo acquisition to be renegotiated or aborted altogether.
There are two big object lessons that every organization should take away from the Yahoo debacle. The first is a need to level set IT security spending. Most organizations grossly underestimate what it really costs to achieve an acceptable level of IT security. They may have increased IT spending over the years. But because they started with such a small base, it’s not really making a substantial difference as the volume and complexity of attacks being launched has increased exponentially. In addition, any organization that thinks of the IT security budget in terms of a defined percentage of the overall IT budget is begging for trouble. Most IT budgets are a single number percentage of total revenue. If the IT security budget is a single percentage of the total IT security budget, it quickly becomes clear how fundamentally disadvantaged the organization really is.
The second big take away is the critical IT security due diligence required in any merger or acquisition. Data is a strategic corporate asset. If that data has been compromised in a way that results in it becoming available for pennies on the dollar of its true worth, the value of the business being acquired is not nearly as high as initially assumed.
It’s all too apparent to IT security professionals that most boards of directors don’t yet fully comprehend the implications IT security issues can have on the business as whole. That’s unfortunate for all concerned because as the Yahoo case clearly illustrates, members of those boards, like it or not, can now count on the fact that going forward and back they most certainly will be held accountable for IT security.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.