Isn’t TJX already an outlier? How many $50 million dollar breaches are there?

But to answer your question – You know I can’t say “become PCI compliant”

It’s my (small sample size warning) experience that retailers, in general, don’t prioritize information risk management.

The argument the CISO would like to make is that spending a few million (more) on IRM budget would reduce the likelihood of incident. Therefore it makes sense to spend $5million to prevent the probable (or what’s more likely communicated, worst case) loss of $50 million.

The business owners tend to think more in terms of cash flow. I’m not saying that they like to make $50 million one time charge-offs, but outfits the size of TJX will accept them. On the other hand, taking $5 million in cash that could open several new stores or a new market and allocating it to a _potential_ loss situation – that’s just not compelling.

So therefore, I’d have to say that maybe – MAYBE – Ms. Meyrowitz’s peers are making the right business decision if they’re don’t doing anything and roll the dice.

It’s all in the utility of that $5 million they could spend to upgrade their IRM program, isn’t it?

What are your suggestions, Adam?

Unfortunately, “stuff happens”, and precisely because information about breaches does not magically appear everywhere at once, it is sometimes methodologically necessary to use a somewhat wider event window. Mandatory centralized disclosure would lessen this.

Here’s an interesting question – how many of Carol Meyrowitz’s peers do you think are now thinking “Man, I can’t let that happen to me, I better spend some money on InfoSec”?