John Pescatore

Here in the Washington DC area, we had a horrible crash on the Metro subway system. The causes (and I bet it will be plural) of the accident are still under investigation, but one fact has come to light: after Metro crashes in 1996 and again in 2004, National Transportation Safety Board (NTSB) investigators determined that the older series 1000 Metro trains were “…vulnerable to catastrophic telescoping damage and complete loss of occupant survival space.” NTSB back in 2004 recommended those trains be retrofitted or replaced. However, the Washington Area Metropolitan Transit Authority (WMATA) said lack of funding prevented them from doing so and today 30% of Metro’s train fleet is the older, more fragile train model. WMATA’s spending in 2008 was approximately $1.9B.

Unless you live in a world of unlimited budgets, all spending in any business is a tradeoff against competing demands and business objectives – security (and safety) are no different. However, if you identify the crown jewels that keep your business running in the physical world it is customers and in the electronic world it is quite often your customer’s data. The protections around those crown jewels should be high-priority investments, essentially must have/cost of doing business kinds of things. If you play to old “probability of event times cost of event” for incidents that impact those crown jewels, you are pretty much guaranteeing failure.

That doesn’t mean the spending on protection has to be infinite, or that the protection needs to be so great that it impedes business value – it means that business decisions have to made that prioritize lack of fragility around customers and their data as absolute costs of doing business vs. trying to hide behind risk calculations. Just as TJX and Heartland, and many of the airlines that had crashes that were easily preventable found out before them, WMATA will likely see that the cost of this one incident will easily swamp the costs of making sure its customers were protected when the inevitable crash occurred.