The New York Times reported today that the recovery expenses for Sony, Corp., related to its hacking incident this past April will likely exceed $173 million U.S. dollars. This announcement coincides with the Company’s decision to promote Mr. Andrew House to the position of president and chief executive of Sony Computer Entertainment. This position was once held by Mr. Kazuo Hirai who oversaw that division during the hacking incident.
As organizations begin to assess the costs associated with incorporating a data governance program into their overall risk management strategy, the lessons and actions at Sony, Corp., can act as a baseline model for cost-benefit purposes. The implementation of a data governance program begins with executive leadership who are committed to the promotion of a “tone at the top” culture of compliance. The replacement of Mr. Hirai, as president and chief executive, highlights the Board strategy at Sony, and how they intend to change the “tone” within the core business unit of PlayStation.
During Mr. Hirai’s tenure as president and CEO, he failed to envision a proactive culture of compliance around data governance. The public comments he made, and arguably the ones levied by his boss, Mr. Howard Stringer, show just how ill-prepared Sony was to respond to a cyber-attack. If an organization takes into account key ledger items like: legal fees (which include costs associated with retaining attorneys to handle both the transactional and litigation matters that will arise); collateral fallout to other brands (i.e. “if PlayStation can get hacked, what about their other products?”); decrease in revenue (i.e. of the over 100 million user accounts that were breached, how many users are still with PlayStation?); loss of brand reputation (for the rest of its existence, PlayStation will be known as the product that got hacked into and shutdown – better change the name, see AIG – Chartis); and executive management change to promote a new corporate image and agenda, then the price tag for cyber-incidents, like the one at Sony, begin to become more realistic.
My critiques of Sony and its cyber-governance failures aside, I will acknowledge that a change in executive management is a critical first step to recovery from a cyber-incident (of course, that currently comes with a price tag of $173 million U.S. dollars). For the small and large organizations trying to get their hands around whether data governance is an important part of its risk management strategy, the savvy entrepreneur should recognize that it is extremely difficult to measure the cost-benefit of implementing a data governance program in an organization that has a reactive corporate culture.