common denial

I am lucky enough to get to talk to non-security people about security. One of the things that most non-security people know and ask me about are breaches. Breaches are one of the few security things out there that just about everyone knows about. Even my mom seems to understand the impact of a breach and “gets it”. Breaches get on the news, possibly even front covers of newspapers and magazines. Of course as individuals I have learned recently that you could never imagine that it would happen to you, until it happens to you.
Corporations think the same way. They never think that it could happen to them. We all live in this little bubble. Sometimes we come out of that little bubble though when we feel that there are others like us. We feel more comfortable standing together, then standing alone. That is why having a breach within your company has become something cool to announce when another company has announced it too. Wow, if they said they had one, then I can finally say that I had one too. I don’t need to have all the focus on me if I stand in a group of people that also have the same “issue”. When it happens to many companies, then the understanding or questioning as to why or how it happened begins to change. It goes from what did that company do wrong to… what is going on with all these breaches and who is doing them… how is the IT and security environment changing. It becomes a report on 60 Minutes.
It’s cool to stand together but it is even more cool to stand together within a group of companies that have been breached. I am not preaching whether this is good or bad, but I do feel like no one wants to be the first to announce the breach. I understand that there are regulations that state companies need to announce when there are certain types of breaches but believing that happens is like believing that a password is going to protect you. Next time a large corporation announces they had a breach, watch to see who else announces a breach around the same time. It’s the cool thing to do.