While many believe there is no such thing as bad publicity, there is one type that you would like to avoid: Bad-Breach-Publicity.
Even the most well-managed crisis would leave a dent in a company’s reputation, and ultimately its balance sheet, so management tends to pay attention to announcements that make the news.
All unscathed companies that read about the breach go through a known series of events. The morning after, the CISOs can expect a call from the CEO, or the board members, about the relevance and preparedness of their organization to the malware-de-jure. Along with the check-in comes an action item to prepare a presentation for the management forum as well as apply corrective measures.
Of course the CISO, on his or her end, was never waiting for the headline. The security team is working year-round to prepare for any new threat. But alas – this is how the wheel turns. Till the next headline.