If You Hire Specialists You Should Probably Listen to Them

Since the breach at Target several other high profile cases of customer credit card data being stolen have arisen. Home Depot is one of the stores whose credit card data was obtained by unknown third parties. What’s interesting about the Home Depot case is that it’s beginning to appear as though the company’s internal security team issued a warning about the problem several years ago:

But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases.

Yet long before the attack came to light this month, Home Depot’s handling of its computer security was a record of missteps, the former employees said. Interviews with former members of the company’s cybersecurity team — who spoke on the condition they not be named, because they still work in the industry — suggest the company was slow to respond to early threats and only belatedly took action.

A heads up from an anonymous former employee isn’t solid evidence but it wouldn’t surprise me if this is true. Companies have a history of putting aside time and money to hire security specialists only to ignore their advice. This is something that I never understood. Why would any company invest resources to hire specialists only to ignore their advice? When you hire security specialists you should expect them to deliver bad and costly news, especially between the time you first hire them and have a chance to implement their recommended security practices. Yet so many companies seem dead set on ignoring any bad news delivered by their security specialists. It’s stupid, that’s the only word for it.