Sony isn't saying, but more on that in a moment.
The fact that Sony didn't have a CISO came to light when the electronics giant said it would name a chief information security officer as part of a plan to improve IT security after intruders last month hacked into its PlayStation gaming network and Qriocity music service, exposing personally identifiable information found in 100 million customer accounts.
Maybe there's a good business reason why you acquire a company and allow them independence. But from a security perspective, this creates a dilemma.
Sony never explained why it didn't have a CISO. Repeated attempts to reach Sony for an explanation were unsuccessful. (See Why CISOs Must Care About Sony Breach)
But speaking with industry experts, one concludes that Sony has historically addressed information security at its multitude of business units, not at headquarters. It has treated security tactically, not as a corporate strategy.
Three weeks after the attack, Sony still hasn't allowed customers to enter the network to reset their passwords or edit credit-card information. "It is evident that they may not have focused in recognizing what their risk exposures really are, particularly in the PlayStation network," says Scott Crawford, managing research director for Enterprise Management Associates, an industry analyst and consulting firm.
Sony's absence of a CISO does not mean the company failed to have security professionals managing this function. What it does indicate is that the tone at the top was clearly missing to provide a common framework to manage risk. "A key point to make is that companies can be breached with or without a CISO, but having one improves the company's ability to manage the risk, and if breached, more effectively respond," says Brett Wahlin, CISO at McAfee, a security product and solutions provider.
Acquisitions are how multinationals become big. Since 1983, Sony has acquired more than three new businesses a year. And these new subsidiaries often remain independent.
Kent Anderson, president of risk management consultancy EnCurve, can't address the specifics of Sony's woes, but he once ran IT security for 22 international subsidiaries at Digital Equipment Corp. and can provide insight into security management.
"Maybe there's a good business reason why you acquire a company and allow them independence," Anderson says. "But from a security perspective, this creates a dilemma. Disparate groups taking care of security and determining risks and controls on their own do not meet corporate goals."
But for some large and diverse organizations, doing what seems evident isn't always easy to pull off. Sony's business units include consumer electronics, commercial electronics, entertainment and gaming. "It is a truly diversified and a billion-dollar multinational organization with their fingers in a lot of different direction and a lot of industry verticals," Crawford says.
And, he says, executing a centralized, IT security strategy won't be easy. "The fact they will now have a CISO speaks of the challenges of consolidating risk priorities and functions."
But let there be no doubt: In today's threat landscape, having a corporate CISO isn't just the best option - it's the only one.