A "fraction" of a bonus. Let's assume their bonus is a paltry 100k. A good infosec pro expects on average to be making at least 200k, so you have already blown out your budget. You can take a swing at hiring a consultant, but that gets you 5 weeks at around 70k, so you are eating a huge chunk of your fractional bonus budget.
Consultants don't really work for systemic problems like this though. Sony has cancer. They need empowered specialists to come in and tear out and then replace. These are both technical and managerial problems that exceed the capabilities of your average defcon attendee.
I disagree with both the approach you have taken here in envoking executive pay envy, as well as the substance. Security is hard. Practicing good security is expensive. You don't get to throw a couple of hundred grand around once and call it good. It is an ongoing and expensive investment.
> A "fraction" of a bonus. Let's assume their bonus is a paltry 100k. A good infosec pro expects on average to be making at least 200k, so you have already blown out your budget.
I agree with your overall point, but the first page of the leaked salary list alone has something like $35M worth of bonuses. Say the high-level execs are the only ones sacrificing their pay, and the 'fraction' of bonuses was 20%, you'd have $7M annually to spend on infosec -- in addition to all of the money they're already spending (and apparently wasting). This would pay the salaries of ~30 top-notch security people.
Ostensibly, executive bonuses in publicly traded companies are tied to actions that are a proxy for increasing shareholder value. Massive damaging hacks are not good for shareholder value.
In any case, it was just a comparative point, they clearly have the cash flows to hire competent security staff without impacting others' pay if they so desire.
In any case, thanks to the leaked information, it should be easy to tell exactly how much Sony paid the people who are responsible for this mess.
Security is hard, but this looks like a lot of low hanging fruit being picked effortlessly. My bet is that just a tiny bit of effort would have made the intruders work much harder.
A "fraction" of a bonus. Let's assume their bonus is a paltry 100k. A good infosec pro expects on average to be making at least 200k, so you have already blown out your budget. You can take a swing at hiring a consultant, but that gets you 5 weeks at around 70k, so you are eating a huge chunk of your fractional bonus budget.
Consultants don't really work for systemic problems like this though. Sony has cancer. They need empowered specialists to come in and tear out and then replace. These are both technical and managerial problems that exceed the capabilities of your average defcon attendee.
I disagree with both the approach you have taken here in envoking executive pay envy, as well as the substance. Security is hard. Practicing good security is expensive. You don't get to throw a couple of hundred grand around once and call it good. It is an ongoing and expensive investment.