The CIO of a rather large Australian company recently told me that the firm was happy with its security set-up but then quickly made a U-turn. Would that statement, on record, effectively lay down a hacker challenge?
When questioned about the security of the company's network, the CIO's initial response was: "I don't have a lot of worries about security". The CIO then explained how the company invested a decent percentage of its revenue into securing its network and educating its users.
"We are probably much more secure than the average Australian company [in the same industry]... as far as the frameworks, firewalls and different detection systems, they are pretty hardened... security doesn't keep me awake at night," the CIO said.
As the CIO was answering my question, the company's public relations representative started looking a little agitated. The PR said: "that is an interesting challenge you have put out there" and suggested that the CIO had "thrown down the gauntlet" to hackers of the world, who would now be inspired to now try to infiltrate the company's infrastructure.
The PR person claimed to have been "trained to look at the worst case scenario" and didn't want the company to be seen "challenging" any potential hackers.
Was this an overreaction?
Had the CIO had said something like "our network is unhackable" then maybe I would understand but not when they simply stated that IT security wasn't something to lose sleep over.
The PR suggested 'clarifying' the situation with comments about "taking security seriously, always looking to improve the technology and education etc. etc.".
Is this level of paranoia justified?
Not if trading exchange firm Betfair's director of infrastructure, Paul Moss, is anything to go by.
In a press briefing this week, Moss went into detail about how the company network was designed to withstand massive DDoS attacks and has redundancy on every level -- even to a point that when the firm flew its data centre over to Tasmania from the UK, it did it on two separate planes in case one went down.
Have you been hacked simply because you said you were secure? Would admitting your system is full of holes make you safer because you are less of a challenge?