There are lots of metrics for measuring security readiness and response, but we think this one’s hard to beat: the time between when a security incident occurs at a major company and when the CEO is forced to make a grovelling public apology.
Sorry picture from Shutterstock
Forrester Research analyst Rick Holland suggests the ‘mean time before CEO apologises’ idea in a recent blog post. While it’s tongue-in-cheek, it does highlight one of the most important lessons in IT security: it’s always better to prevent an incident than to have to deal with the aftermath. And since you can’t prevent everything, it’s also crucial to be able to demonstrate everything you did do — since that will help the CEO prepare their apology.
Introducing A New Incident Response Metric: Mean Time Before CEO Apologizes (MTBCA)
Comments
8 responses to “‘Mean Time Before CEO Apologises’ Is The Ultimate Security Metric”
In a similar vain – we’re still waiting for a media statement from Nanna’s on the mixed berry incident. It’s like the company doesn’t even care to give lip service.
Pretty sure it turned out they were not responsible for it? Didn’t they test heaps of packets and found no traces of Hep A?
Didn’t know that so I did some digging:
But a Federal Health Department spokesperson said its investigation into the outbreak, which now affects 34 people in five states and the ACT, “is ongoing”. At least two samples show traces.
http://www.smh.com.au/business/retail/frozen-berries-maker-patties-says-no-links-between-recalled-fruit-and-hep-a-20150415-1mlpcf.html
So it’s kind of up in the air still. Hmmmm.
When they are lying and downplaying an incident with a ‘that’s the end of it’ statement, they only take a few days to a week. Then they flood the market with diversionary press releases and no mention or follow up ever again.
You can’t have a MEAN time to an apology by a CEO for an event unless you have multiple CEOs. It’s just the time to an apology. You could compare it to a mean for other CEOs and other events to see if it was more than the average or not, but that’s it.
I assume this mean would be over multiple security incidents at the same company.
Perhaps the shorter the time, the meaner the CEO?