Sony has finally hired someone as chief of security with the background to understand there is a connection between the existence of locks, barn doors and escaped horses.
Usually big companies lock the barn door after all the livestock are gone; Sony never really bothered, even after a series of attacks on Sony sites that began April 20, with a hack that took down the Playstation Network for more than three weeks.
Then there was the attack on Sony Online Entertainment Qriocity and 14 or 15 other attacks on various other Sony sites or networks, most due to Sony's decision to fix internal systems to protect its internal data, not external ones to protect its sites or customers, inability to accept responsibility for its own culpability, internal communication problems that kept it from identifying common problems, or the cost-cutting and layoffs in IT security just before the long series of hacks.
Sony lost half its stock value as the number of attacks increased and it became clear just how sketchy its idea of security really was, not to mention its minimalist approach to protecting the information of its customers.
Early on internal risk assessors published an estimate that the attacks would cost Sony an acceptable $171 million in lost business and new expenses, plus whatever would be awarded to plaintiffs in lawsuits that had not yet been filed because the lawyers putting the suits together couldn't agree on how many times to include the words "stupid" and "careless."
Today, September 6, four months, 17 days after the first attack, Sony announced it has hired a new chief security officer: Philip R. Reitinger, whose title will be Senior VP and chief information-security officer.
Reitinger is a former U.S. Dept. of Homeland Security, worked in cybersecurity for Microsoft and at the Depts. of Defense and Justice.
(Insert your own joke here about the reputations of Microsoft, the DoD and FBI on cybersecurity.)
There's no real indication so far how good he is at tightening up internal security or improving public perception of a giant company whose flaccid precautions ruined its reputation globally.
He has all the attributes big companies look for when recruiting high-level executives, however:
- An executive haircut, ability to sit and testify to Congress without making his suit look all baggy, ability to look passionate about his topic whether he's making any sense or not, lots of appearances on C-span (looking passionate about his topic whether making sense about it or not).
- The ability to appear on television defending a weak and fractured cybersecurity plan that even the people implementing it don't seem to understand.
- Hagiographic writeups on career-summary sites that make reference to his long history "patrolling cyberspace" and leadership in "efforts to safeguard the computer systems that run everything from government databases to the country's infrastructure" without mentioning government and crime-scene reports demonstrating how weak that protection actually is.
- A long and impressive-looking resume that's nevertheless too vague and dull to convey much of his real accomplishments.
- Experience in business: He was "Chief Trustworthy Infrastructure Strategist" at Microsoft until 2009, a time when its infrastructure security really did improve, without ever actually becoming "trustworthy."
- Experience being tough on whatever they're hiring him to do: Reitinger was No. 2 in charge of criminal investigations and prosecutions for the DoJ's Computer Crime and Intellectual Property section (where he got an Exceptional Service Award).
- Written (and sworn) ability to effectively regulate and oversee companies for which he used to work (though a long blacked-out redaction in the middle of a purely routine bit of government-employment background-check paperwork looks mighty odd).
- The ability to resign one job three months before the announcement that he's taken a new one, even though he appears to have resigned specifically to take it. (Another mysterious gap that could simply be the opportunity to take a long vacation, relocate the family, or do his on-the-job training while still under the radar of media types who will be snarky about his potential before seeing any evidence of what it is.)
Financial News Network doesn't exactly endorse the choice, but does say Sony's stock price has a "potential upside of 34.4%" based on the difference between what people are willing to pay for it and analysts say it's worth.
A lot of that gap is probably due to perception that Sony is a leaky boat.
From Sony's demonstrably internally-focused point of view, Reitinger will have succeeded if he raises confidence enough to buoy the stock price along with it; after that, any improvements in actually security are just gravy.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.