I was just thinking about the biggest breaches we’ve had in history, from companies like Adobe, LinkedIn, Equifax, Marriott, Target, etc., and wondering how badly they’ve been affected long-term.
Stock price doesn’t tell the full story of whether something impacted a company.
I’m wondering one specific thing about these top companies with the biggest breaches: What percentage of companies that were top-three in their industry, were dropped out of their top-three spot as a result of their incident?
Here’s the list I’m looking at, which may not be perfect.
I removed Yahoo and eBay because they were dying due to market forces unrelated to security breaches, and OPM because it’s part of the government.
- Home Depot
By my count, every single one of these companies has maintained its industry-leader position years after the incident. So the answer to the question of “what percentage lost their leadership position?” seems to be a big fat:
None. Out of these six—and I’m sure I’m forgetting some—they’ve all maintained their dominant position as if nothing ever happened.
There are of course many smaller companies—and especially startups—that had a bad incident early on and went out of business because of it. But that seems to be a case of chasing away investors more than the stock market or customers.
It’s just interesting to me that Adobe is still the market leader. Marriott is winning at the hotel Game of Thrones more than ever. Equifax is annoyed, I’m sure, but their position as an industry leader hasn’t been shaken as far as I can tell.
Target? Still #2 to Walmart in that space. Home Depot? Yep, still doing their thing and either #1 or #2. LinkedIn is just fine as well.
So why did I bother to notice this, or point it out?
It just seems really interesting to me that for top-N industry leaders, both stock price and competitive position seem immune in the long-term to even the largest breaches that we’ve seen.
That doesn’t mean it doesn’t cost them money. And effort. And the opportunity cost. So it’s not pleasant or desirable or cheap for this to happen.
But it also doesn’t seem to be an existential risk for top companies, which is a belief that many people still hold.
I think lots of CEOs and CISOs and security teams proceed every day under the assumption that a big breach could be the end of their entire company. And maybe that’s best. Maybe people become good at their jobs—regardless of what it is—by convincing themselves that it’s more important than the reality.
But I can’t help but be intrigued by disconnects like this, where the general opinion among practitioners is divorced from the actual case.
Curious what others think—both about my assessment of infosec’s collective opinion on the existential threat, and about the overall analysis of how much mega-breaches affect mega-companies.