I think fraction of their executive bonuses would be quite enough to fully fund a fairly decent security effort. If security were designed into their processes, it would probably cost much less.
If the 100 TB figure is correct, this has been going on for some time - it takes time to steal that much data in a way that does not raise a bunch of red flags. If the red flags weren't there to be raised or they were and were ignored, well... at least their executives got their bonuses.
Also, in the interest of fairness, while this malware attack seemed to be directed to Windows machines, a dedicated enough intruder would have developed attack strategies for any platform.
A "fraction" of a bonus. Let's assume their bonus is a paltry 100k. A good infosec pro expects on average to be making at least 200k, so you have already blown out your budget. You can take a swing at hiring a consultant, but that gets you 5 weeks at around 70k, so you are eating a huge chunk of your fractional bonus budget.
Consultants don't really work for systemic problems like this though. Sony has cancer. They need empowered specialists to come in and tear out and then replace. These are both technical and managerial problems that exceed the capabilities of your average defcon attendee.
I disagree with both the approach you have taken here in envoking executive pay envy, as well as the substance. Security is hard. Practicing good security is expensive. You don't get to throw a couple of hundred grand around once and call it good. It is an ongoing and expensive investment.
> A "fraction" of a bonus. Let's assume their bonus is a paltry 100k. A good infosec pro expects on average to be making at least 200k, so you have already blown out your budget.
I agree with your overall point, but the first page of the leaked salary list alone has something like $35M worth of bonuses. Say the high-level execs are the only ones sacrificing their pay, and the 'fraction' of bonuses was 20%, you'd have $7M annually to spend on infosec -- in addition to all of the money they're already spending (and apparently wasting). This would pay the salaries of ~30 top-notch security people.
Ostensibly, executive bonuses in publicly traded companies are tied to actions that are a proxy for increasing shareholder value. Massive damaging hacks are not good for shareholder value.
In any case, it was just a comparative point, they clearly have the cash flows to hire competent security staff without impacting others' pay if they so desire.
In any case, thanks to the leaked information, it should be easy to tell exactly how much Sony paid the people who are responsible for this mess.
Security is hard, but this looks like a lot of low hanging fruit being picked effortlessly. My bet is that just a tiny bit of effort would have made the intruders work much harder.
100TB? Seems more likely nobody noticed a team carrying out some thirty-five 3TB external drives. If their network was able to maintain operations while somebody sucked out 100TB of data through their gateway, I'm impressed.
Any serious operation dealing with the amount of media (images, videos, various editing files, etc) that Sony was is going to have very fat pipes. They probably moved upwards of a few TBs a day.
If the 100 TB figure is correct, this has been going on for some time - it takes time to steal that much data in a way that does not raise a bunch of red flags. If the red flags weren't there to be raised or they were and were ignored, well... at least their executives got their bonuses.
Also, in the interest of fairness, while this malware attack seemed to be directed to Windows machines, a dedicated enough intruder would have developed attack strategies for any platform.