Well, Sony isn’t exactly a traditional target, is it? Why are we seeing so many nonfinancial organizations being attacked?
Look at where the real value is today. The recent IPO of LinkedIn is a good example. Why did their stock price double within hours of their IPO? It’s because they have all of this information about users and their habits that people either indirectly or directly provide about themselves, and it’s the same reason Facebook is valued at tens of billions of dollars: the information can be mined, aggregated, and used for marketing purposes. This is very valuable information.
That means consumers run the risk of seeing their information breached or leaked no matter which services they use?
Many of us accept the idea that information about ourselves is not something we have control over, and in most cases we have no idea where it goes when it’s out of our hands. Take the recent breach at [e-mail marketing firm] Epsilon, for example: how many consumers impacted by this had even heard of Epsilon before their breach disclosures started? Meanwhile, organizations that collect that information often don’t have as strong a sense of stewardship over it as they should. Also, breaches can be much more serious when they happen to companies that provide software-as-a-service. And we’re starting to see more of these [when] a vulnerability or weakness is disclosed or exposed in one common kind of platform or infrastructure, and then you may see a bunch of these incidents cascade. So what might have been one breach for a relatively small company turns into a breach that affects dozens of others, because those companies rely on it for outsourced data services. And we’re only going to be seeing a lot more of that, I believe.
You’ve touched on a sore spot—the often fuzzy IT buzzword of “cloud computing.” Do you think organizational appetites for outsourcing their data to third parties will weaken anytime soon because of security concerns?
I think in the next three to five years—if tech development keeps going the way it has been, for various cost and policy reasons a lot of companies will realize that cloud computing doesn’t give them the advantages they were counting on and will move things back into a data center or private cloud.
Thirty to 40 years ago, back when we had these massive data centers that were under control of centralized management because it was a huge investment in infrastructure, generally the data was under [tight corporate control]. Then we started moving out to distributed media and desktop PCs in most organizations, and I think the ’90s were about the low point in terms of centralized business control over computer systems. Now we’re getting back to the point where companies are realizing—especially with big shared databases—the importance of having more control over their data.