There's a reflexive--and, in a lot of ways, understandable--impulse on the part of large, successful corporations to keep information about network security breaches quiet, but like a lot of misguided impulses displayed by the powerful (sorry to pile on, Anthony Weiner), it's likely to come back to haunt you.
Citigroup (NYSE: C) divulged last week that its network was attacked one month prior and that personal information was stolen from 200,000 of its credit card customers. The disclosure brought to light the wide-spread data security challenges that plague the financial industry. A textbook illustration of the conventional wisdom that companies don't make sufficient investments in security until it is too late, the company assured everyone that "Citi has implemented enhanced procedures to prevent a recurrence of this type of event."
Policy makers are fed up. After Citigroup's disclosure, the chair of the FDIC announced plans to ask banks to tighten up their authentication requirements for customers. On Capitol Hill, lawmakers redoubled their calls for more timely breach notification. New laws and tighter regulations will not necessarily ensure more secure data though. These measures always risk resulting in new hoops to jump through and more lists to check off without the commensurate expected improvements. The history of FISMA compliance is but one example.
So what would it take to actually make networks more secure? It comes down to the trade-off between short-term and long-term reward. Do we invest only in what is necessary to advance next quarter's bottom line, or do we invest in the necessary tools to sustain a business over the long haul? It is a question of how we see ourselves fitting into the broader society and what we want for that society over time.
At root, the debate about network security comes down to this: Are we in this game just for ourselves today, or do we still care at least a little bit about posterity? I think it's a good question for every CEO