‘Mean Time Before CEO Apologises’ Is The Ultimate Security Metric

9 years ago

May 22, 2015 at 9:30 am

There are lots of metrics for measuring security readiness and response, but we think this one’s hard to beat: the time between when a security incident occurs at a major company and when the CEO is forced to make a grovelling public apology.

Sorry picture from Shutterstock

Forrester Research analyst Rick Holland suggests the ‘mean time before CEO apologises’ idea in a recent blog post. While it’s tongue-in-cheek, it does highlight one of the most important lessons in IT security: it’s always better to prevent an incident than to have to deal with the aftermath. And since you can’t prevent everything, it’s also crucial to be able to demonstrate everything you did do — since that will help the CEO prepare their apology.

Introducing A New Incident Response Metric: Mean Time Before CEO Apologizes (MTBCA)

Comments

8 responses to “‘Mean Time Before CEO Apologises’ Is The Ultimate Security Metric”

READ THE COMMENTS

zenu

May 22, 2015

In a similar vain – we’re still waiting for a media statement from Nanna’s on the mixed berry incident. It’s like the company doesn’t even care to give lip service.
1. darren
  
  May 22, 2015
  
  Pretty sure it turned out they were not responsible for it? Didn’t they test heaps of packets and found no traces of Hep A?
  1. zenu
    
    May 22, 2015
    
    Didn’t know that so I did some digging:
    
    The frozen fruit company embroiled in the unfolding hepatitis A outbreak says its own laboratory test results show no links between its recalled berries and the virus, as well as E. coli.
    
    But a Federal Health Department spokesperson said its investigation into the outbreak, which now affects 34 people in five states and the ACT, “is ongoing”. At least two samples show traces.
    
    http://www.smh.com.au/business/retail/frozen-berries-maker-patties-says-no-links-between-recalled-fruit-and-hep-a-20150415-1mlpcf.html
    1. darren
      
      May 22, 2015
      
      So it’s kind of up in the air still. Hmmmm.
kendal

May 22, 2015

When they are lying and downplaying an incident with a ‘that’s the end of it’ statement, they only take a few days to a week. Then they flood the market with diversionary press releases and no mention or follow up ever again.
Nitpick

May 22, 2015

You can’t have a MEAN time to an apology by a CEO for an event unless you have multiple CEOs. It’s just the time to an apology. You could compare it to a mean for other CEOs and other events to see if it was more than the average or not, but that’s it.
1. mokalusofborg
  
  May 22, 2015
  
  I assume this mean would be over multiple security incidents at the same company.
2. ammusionist
  
  May 25, 2015
  
  Perhaps the shorter the time, the meaner the CEO?

Our Housing System Is Broken and the Poorest Australians Are Being Hardest Hit

12 of the Best Lamps to Buy If You’re Sick of Using the Big Light

Limit Your Data Usage With These Plans and Phone Settings

Baby Reindeer: How the Series Brings a Needed Perspective on Male Victimisation

The Secret to Happiness, According to Psychology Experts

Here Are Amazon Australia’s Best Deals of the Week

TPG Has Changed the Prices for Almost All of Its NBN Plans

Wrap Me in ALDI’s $30 Heated Winter Travel Blanket

JB Hi-Fi Is Clearing Out Games For As Little As $2

Amazon Australia Beauty Week Sale: 24 of the Best Products to Shop

‘Mean Time Before CEO Apologises’ Is The Ultimate Security Metric

Comments

8 responses to “‘Mean Time Before CEO Apologises’ Is The Ultimate Security Metric”