By Ron Benvenisti: I’m not going to talk about how it happened, who was responsible, how IT data is a business’ most valuable possession, privacy nor the geekly gory technical details. I’m not going to rant about their IT failures. So what else can an IT Business Security Analyst talk about? Business. And reading between the lines, Sony has a great business model. Getting the same results with less resources. Right. Less is More.
Listen, I don’t give a whit about Princess Beatrice of York’s salary at the studio. I’m talking return on investment. And Sony can teach all of us in the IT Security profession a very profound and extremely valuable lesson. I only hope they’re also smart enough to see how it applies to their IT security processes.
Let’s read between the lines: The lines of one of the hacked/leaked documents cited in today’s The Hollywood Reporter’s Headliner: “Sony Hack Reveals Top-Secret Profitability of 2013 Movies.”
One of the documents yields a gem of a businessman’s strategic dream coming true: Making more money with less investment. As in ROI. As in Less is More. (Keep that in mind because it works and that’s what I’m going to get to for us IT security folks, later). This is not a Hollywood movie, folks. It’s Rated BP. (Best Practice)
“Currently, approximately $1B in production spending can be expected to deliver $500M-$600M in profits,” the letter says. “Through his continued focus on financial discipline, Doug hopes to improve that ratio to a point where $800-$900M in production spending delivers $500-$600M in profits.”
This was revealed in one of the hacked/leaked documents that also illuminated Belgrad’s handling of negotiations on a Paul Blart: Mall Cop sequel. “The production budget was originally set between $45M and $50M,” the letter says. “Doug successfully negotiated with the producers to get Kevin James to accept less compensation and to reduce the production budget to approximately $38M.”
Similarly, Belgrad brought the budget of the upcoming Adam Sandler movie Pixels down by $25 million even after chairman and CEO Michael Lynton agreed to make it for up to $135 million. “Doug artfully negotiated with the producers to reduce the production budget to $110M and through his own network of contacts secured the required co-financing,” the letter says.
Also contained in the same document were details of Osher’s recent restructure of Imageworks, Imageworks Interactive, Colorworks and Post Production — a move that reduced staff by 230. Osher’s move to outsource much of the company’s special-effects work was controversial in VFX world.
“Because of Bob’s extraordinary focus on cost management, Imageworks is expected to generate $7M in EBIT (before restructuring) in FY15 despite a 30% reduction in revenue,” the letter states.
Belgrad and Osher get it.
Why don’t we get it?
So what does Sony do now. Are they going to be smart or be foolish like the other big gorillas who, after a breach, have now jumped into a frenzy decided throwing 10000% of the money it takes at IT security trying to fix 100% of the problems, when the truth is even when you fix 100% of the problems (which is impossible anyway) you only get max, 80% fixed in the best case?
In fact the statistics show that:
When you just fix the 20% of the most important IT security issues you have, you get the same 80% maximum return as you would if you spent the money required to fix 100% (which is not possible in the best of cases, anyway).
As far as Sony goes, let’s hope their CISO is as smart as Bob Belgrad. Here’s a guy who gets the same 100% results by putting in like 10 to 20% less resources.
But how about your business going even further than Bob. Get 80% return on a 20% investment. If “The 80/20 Proposition” sounds like great movie title, it isn’t.
The fact is: There are just 15 things you can do today to secure your most valuable business assets.
Top 15 Cyber Security Precautions Your Business Can Take Today
1.Know what you have to steal. Do you know what assets are in your cyber “cash drawer”?
2.Know what you have to vandalize. Criminals can break the “windows” of your website and more.
3.Who has the keys to your kingdom? Identify who has elevated privileges in your organization.
4.Know your employees. Assemble your security team, including IT, legal, audit, and management.
5.Give your employees clear directions. Develop IT policies and procedures, then train your staff.
6.Protect your crown jewels, first. Prioritize your efforts. You can’t protect everything equally.
7.Re-key your cyber locks. Use stronger passwords, and consider using “double” locks.
8.Jiggle your own locks. Act like a burglar. Try “jiggling” your own locks, using penetration testing.
9.Think like a thief. Look at all the vulnerabilities in your systems and processes, and your suppliers’.
10.Have a plan. Be prepared to respond if you suffer a break-in or other disaster.
11.Who’s watching? Monitor who’s coming and going into your systems…and who’s watching YOU.
12.Compliance counts. Be sure you’re compliant with laws and regulations. Violations can be expensive.
13.Get to know your local police. They’re a part of your team. Include other agencies that can help.
14.Join a neighborhood watch. Talk to your neighbors, including similar businesses and associations.
15.Get professional advice. Do you do your own repairs? Your taxes? Talk to professionals who specialize in the field.
Are you doing them? Your business is your screenplay. Isn’t it time you won an Oscar?
I’m always available to help out.
@BenvenistiRon
(516)750-0478 x103