Tuesday, May 3, 2011

The ONE most important lesson from the Sony PlayStation Security Breach

77 million paid users, personal information such as email, passwords, credit cards, access to a platform that managed powerful Playstation devices, and licensed content makes such services a sure target for hackers and jail breakers. 

Jail Breakers and Hackers both saw the rich opportunity which the business failed to see. Jail breakers for the thrill of free content and the urge to make the content freely available. Hackers for the rich source of credentials, credit card numbers and email which can be sold to fraud rings for a fee, and possibly could install malware updates on Playstation devices potentially  harnessing them for denial of service attacks or even to deactivate them.

There are 50 million or so BIT Torrent users who believe that it’s their right to share licensed content. For all businesses this is a reality that we need to live with.

Jail breakers can be dealt with by removing the need to jailbreak and making the product  secure. Key concerns of jail breakers are price and availability. One can also make it profitable for a jail breaker to report flaws for a fee. Imposing criminal action as a deterrent motivates jail breakers to go underground, thereby loosing the opportunity to harness their expertise to improve product security.

Hackers on the other hand profit from this action as they are already underground. An insecure product or service is rich pickings.

So why did such a large organisation fail to see the inevitable?

The main reason is the inadequacy of addressing security as a major business concern. Instead of improving product and service security, the focus was on prosecution, as the immediate problem was loss of license revenue and that was what business understood of the problem.

This inconsistency is present in every business where business and an IT decision makers overrule security in favor of functionality and a false belief that such problems do not occur.

All CISO’s should highlight this incident to their management as a wakeup call.


  1. Provocative article, thanks!
    IMO, Security-spending is still seen as an insurance by many CEOs. And since Insurance is tied to Risk, it is vital that a CEO gets a simple risk-calculator to justify spending beyond "industry averages" on their security budgets. Traditional methods of "The damage is so large that it can take the company down" make it hard to quantify risks v/s costs.

    Not justifying the norm; merely sharing an observation.

    Hemendra Godbole

  2. I do agree with your point of view of using a risk based cost benefit analysis to derive budgets. In reality, since security is normally intangible deriving a cost benefit analysis can vary widely depending on how risk is perceived for the same situation. The other and larger issue is that risk based spending applies to other areas besides security such as IT, finance, business deals etc and in many countries and business verticals its not used at all. Leaders are more comfortable with gut feel or industry averages.