A recent analysis of the Sony data breach shows that there were several places where the company could've more quickly addressed the compromise. What are the most important things organizations can take away from Sony's handling of the breach?
Sony has experienced at least 20 public security breaches in 2011, with the most egregious breach being that of the PlayStation Network (PSN). Attrition has a good breach timeline of the initial Sony breach and subsequent compromises. Only recently did Sony decide to hire a CISO, and this person is going to have significant work in front of him or her to secure Sony and integrate security into its culture.
One of the most important lessons learned from the Sony breach has to do with communication. Incident response best practices dictate that open, honest and timely communications minimize the effects of a breach on customer relationships. While there are many technical lessons to be learned from these attacks, mostly having to do with ensuring good security practices throughout the extended enterprise, Sony only expanded its public relations nightmare by its minimal incident response communications. Sony hurt customer relationships by not disclosing sooner that its customers' credit card data had been breached in the PSN attack. Sony initially stated that personal information had been stolen, but did not confirm credit card related data was disclosed. Had Sony communicated sooner that there was a problem and that the company was looking into it, it could have avoided or minimized the damage to customer relationships, as well as inquiries from various government agencies. Hopefully hiring a CISO to lead incident response and review high-profile security decisions can help prevent future Sony rootkit incidents and customer relationship problems.