Twitter cracks me up some times. I was tagged in a tweet that pointed out I was among more than one individual representing a breached company on the PCI Advisory Board. My response?

Look out that window.

Phat Wad, Break me off some, by Refracted Moments

I submit to you that the companies with the best security programs might be those that have suffered a breach in the last twelve to twenty-four months. The program was weak enough to allow the breach to occur at the time, but the severity and specifics of the breach highlights corrective actions for management to address. From the breaches I have been involved in, management tends to knee-jerk pretty hard and improve their game.

Even without a breach, only a tiny percentage of companies truly “get it.” Whether they “get it” because they have an executive in the company that has weathered a breach or because they have a savvy security team that is truly effective at information protection, these companies are ones we should collectively aspire to be like. The real kicker is we may never know who those companies are simply because they won’t end up in the news.

Unfortunately, most companies that have never suffered a breach are either complacently compliant with baseline security practices hoping someone else is a better target than they are, or just plain lucky. You can even argue that companies that have suffered a breach are also lucky, just the dark grey cloud kind. Does it take a breach to get executives to take security seriously? I’m not in favor of using gasoline to make a bigger fire for executives to put out; it’s our challenge to figure out a non-gasoline way to elevate the conversation to their level.

This post originally appeared on