How Competent is Management at Sony Pictures?

Truth be told, management at Sony Pictures is above average, yet far from perfect. Their handling of the 2014 security breach and the subsequent impact on their company highlights the challenges of maintaining cybersecurity in a connected world.

Network Security: A Tale of Competence

Network security is a critical aspect of any company, particularly in the tech and finance sectors. Banks and IT companies often lead the pack, thanks to their constant exposure to cyber threats. This continuous pressure drives them to stay ahead of potential vulnerabilities. Other sectors like software companies also face their share of breaches, and many have dealt with significant data thefts. Service companies, like Sony Pictures, stand on par with this group, indicating they are not at the top of the list but also not in the bottom.

When it comes to more traditional sectors, life science and healthcare companies often lag behind. These industries are generally five to ten years behind IT companies in terms of technological and security advancements. Even further down the list are consumer retail companies, where incidents like the Target data breach demonstrate their vulnerability. Some manufacturing companies, however, might still be using outdated technology, highlighting a significant gap in modern cybersecurity practices.

The Sony Pictures Breach and Its Aftermath

The 2014 cyberattack on Sony Pictures was more than just a breach; it was a profound lesson in inadequate corporate security management. The incident involved leaked emails and sensitive data, painting a picture of a company out of touch with today's interconnected world. The clumsy management of the incident, which involved threats against journalists and the disruption of Twitter, further underscored the company's failure to adapt to modern cybersecurity challenges.

The hack could have been prevented if the right lessons were learned from previous incidents. For example, the 2011 PlayStation Network hack should have served as a wake-up call, prompting Sony to tighten security measures. However, it seems the company did not implement any significant changes at headquarters, raising questions about the effectiveness of their management's decision-making and response mechanisms.

Management and Security: A Critical Analysis

To truly assess the management's competence, one must consider several factors. Firstly, Sony's CISO (Chief Information Security Officer) should have had the budget and influence to prevent such a breach. In many enterprises, the CISO is second only to the Chief Compliance Officer in terms of budget and power, but this was not the case at Sony. This indicates a systemic flaw within the company's structure, where the CISO lacked the necessary leverage to enforce robust security measures.

Secondly, the integration of cybersecurity into the overall IT strategy is crucial. The CISO should have had a direct line to senior management, including the CEO, CIO, and CFO, to ensure that funding and resources were allocated appropriately. The absence of such a pipeline at Sony suggests a disconnect between the CISO and the rest of the management team, which contributed to the vulnerability of Sony's systems.

Lastly, the incident indicates that Sony underinvests in security talent and technology. It is essential for companies to emulate industries with high-risk profiles, such as energy and financial services, which place a greater emphasis on cybersecurity. Unfortunately, despite the 2011 hack and the likelihood of ongoing lawsuits, there is no evidence that Sony will significantly increase its cybersecurity efforts in the near future.

It is clear that Sony Pictures' management is above average but still lacks the foresight and capability to fully protect their company from modern cyber threats. For true improvement, a new generation of management that prioritizes cybersecurity must come to the forefront. Only then can Sony Pictures hope to regain the trust of its stakeholders and the public.