Verizon Networks recently negotiated a $350 million discount on its acquisition price of Yahoo in response to massive breaches that resulted in the theft of 1.5 billion user accounts.
Kurt Opsahl pointed to the $350 million as a justification for security investment, tweeting “A reason why investment in infosec is critical: pay now or pay later.”
Respectfully, I disagree. You could argue that by not spending money on security, Yahoo was doing its fiduciary duty to its shareholders.
That’s because unless and until you’ve been breached, and assessed the extent of the breach and its resultant damages, you simply don’t know if your security investment is providing a return.
It’s possible that Yahoo could have ramped up its security budget by five or ten times and and still been breached. It could’ve poured the whole $350 million into security and still suffered a similar outcome. What would executives and shareholders say to a security boss who burned so much money and got such a lousy result?
Or, to flip it on its head, let’s say Yahoo detected and mitigated the breach after only a million accounts were affected. That’s a much more positive outcome. But how much would the company have had to spend to achieve it? A hundred thousand dollars? A million? More?
The company still would’ve been pilloried for losing a million accounts, and would still face legal liabilities and penalties. So would that spending have been judged worth it?
Still Getting Paid
Instead of pitching money into what is essentially a black hole, doesn’t it, after a base level of spending, make more financial sense not to bother?
Consider that Verizon is still paying $4.48 billion dollars for Yahoo. Two massive thefts didn’t put Yahoo out of business, didn’t see the exit of the CEO, and didn’t kill the deal. Verizon has even agreed to share liabilities associated with the breach.
Having more than a billion accounts stolen is a headache to be sure, but $4.48 billion buys a lot of aspirin.
Also, does anyone expect that the $350 million Verizon shaved off the deal will be poured back into Yahoo’s security organization? Perhaps a pittance. I expect some will be put aside for those aforementioned legal liabilities.
And rest? Maybe a round of ivory back scratchers for the Yahoo execs who kept the deal together.