Sony Hacking - Who Screwed Up

TLDR: Sony’s leadership is setting the security bar too low for a Fortune 500 company and the result is repeated embarrassing hack attacks.

Perhaps now Sony will get the message that their information security needs a lot of improvement before it rises to the level of sucking very badly.

In my opinion, a company the size of Sony should not be hackable.  By that, I mean that their cyber security teams should actively detect and shut down any small penetrations before they turn into anything serious or get any deeper.  No way should they be able to silently infiltrate to the level they did.

Sony has a Leadership Problem

You can look at this security issue or that security oversight but those things are just symptoms.  The problem is that the Sony leadership is not making security a priority company-wide.  Even in the wake of a series of embarrassing security problems, they haven’t taken the hint and taken charge of their security problems.

True information security (and security in general) is a commitment and it is one that needs to be made at the highest levels of management.  It doesn’t matter how dedicated the various staff members are if they aren’t getting the support from management.

But instead of accepting responsibility and making changes, Sony CEO, Michael Lynton says “We were extremely well prepared for conventional cyber security… 90 percent of all U.S. corporations would not have withstood the cyber attack that we experienced.”  Sony was number 105 on the Fortune 500 list for 2014.  Their security should be among the best in the world, not somewhere down in the 90 percent, sorta OK area.  If that is what the CEO thinks, they still have a big problem and it won’t get better until the mindsets change.

Empowered from Above

In 2002, Bill Gates sent out the trustworthy computing memo.  Microsoft had become a laughingstock in the technical community for the lackluster security in Microsoft Windows.  The memo and the ensuing actions turned Windows around and put Microsoft back in the security game.

A similar memo would go far to empowering the Sony employees to make the necessary changes to make Sony a safe place to work and a safe haven for customer and employee data.

A Layered Approach

Good security is
compared to an onion
 because it has
many layers

Sony needs to hire a security boss that reports directly to the executive level. This person needs the financial resources and the power to turn things around.

The security boss needs to create a series of layers so that the most critical data is protected.  Each employee from the lowest to the highest levels should be considered and the risk they represent minimized.

No one person should be able to do large amounts of damage to the organization.  Consider what the consequences will be if an executive loses their laptop or phone. Review what could happen if a particular employee is bribed, becomes disgruntled, or is a plant of some kind.

Empowered Security Team

With support from above, Sony can create a security team that is a world-class police force capable of a top-notch security response to threats to Sony’s profits, employees, and customers.

Find the right people, give them the support and cooperation of the leadership, and maybe Sony can stop being the company that makes headlines every couple of years for being hacked in a big way.

Improve Your Life
Improve Your Team
Improve Your Code
Software Projects

David Walker

David Walker is a Secure Software Consultant, a Certified Secure Software Lifecycle Professional (CSSLP), and a Professional Scrum Master. He believes in secure and reliable software and productive happy teams. He lives in Orlando with his lovely wife Lynn and his 2 dogs.