I went through data security training recently around breaches, and considered this word “consequences” as an interesting piece of the vocabulary. When I worked at Kleiner Perkins, I had the opportunity to work with the folks at Area1 — an anti-phishing company. It’s also how I learned the popular motto used in the info-security space via Ted Schlein:
I firmly believe there are only two kinds of companies in the world, those who have been breached and know it and those that have been breached and don’t know it. Trying to prevent a breach is not sufficient. You need to move to a mentality of detect, contain and remediate.
Ted Schlein
In my training, I learned the “six consequences” to be:
- Revenue Cost
- Ruined Reputation
- Vandalism
- Theft
- Stolen Identity
- Damaged Intellectual Property
Two that aren’t supposed to be consequences (according to a multiple choice test) are:
- Brand recognition
- Cost efficiency
But I’d argue that you should add in those two consequences because:
- Your brand gets recognized in the media — but negatively. Considering the old saying about how even being spoken about negatively gets your name out there … the value to exact from an “oops” is how gracefully you recover.
- Your suppliers might think twice about you as problematic customer to their own data security, and thus increase your costs. This might open the opportunity to talk with your suppliers about how to emulate their best practices by showing some vulnerability and willingness to co-learn.
