[xfitm3]

Security is a SG&A line item, I am sure they are far more fixated on physical security due to their business vertical and had a gap. There will be many cyber companies chomping at the bit to get a piece of the inevitable (I made this number up) 100m MGM will spend on Cybersecurity over the next 5 years.

They won't make the same mistake twice and will build a comprehensive cybersecurity program, and it will succeed. Up until someone questions this cost and they forgot what they are paying for because everything was so smooth and repeat the cycle.

The objective of security is risk identification and management, not creating an impervious barrier for potential adversaries.

[Veserv]

Ha, that is funny. I have literally never met a CISO who shares your confidence. Not a single one of the companies chomping at the bit can protect MGM against a multi-million dollar ransomware attack. Companies get hacked because commercial cybersecurity by the big names is useless against the modern, prevailing threat landscape of organized crime. The sum total of their ability is stopping unskilled children, and even then only sometimes.

Just ask any CISO if they would bet their job on surviving a $1M unrestricted red team exercise with a year-long timeframe. They would all be scared shitless by the thought. I bet if you asked the CISO of MGM three days before the attack: "How much would it cost to hack MGM and cripple operations?" they would answer like every other CISO I have heard answer that question and say something on the order of $100K. They know it does not work; they are there to be sacrificed and just hope it does not happen on their watch.

[xfitm3]

You're mistaking compliance with a competent security program.

[Veserv]

I am not. Name one competent security program certified and verified to stop total compromise by a $30M unrestricted red team exercise which is the ransom amount demanded by the attackers on Caesars just a few weeks prior.

Keep in mind that amounts to around 100 person-years of dedicated hacking labor. I get a team of 50 and 2 years to achieve total compromise. I get to burn 5-10 zero click RCE zero-days. The idea that any of the commercial cybersecurity companies or any commercial IT organization could design a system that could resist such an attack is laughable. This is not a question of resources, it is one of ability.

I agree, compliance is not an above-average security program. But an security program that is merely above-average is woefully underprepared for the modern threat landscape. You need a security program 100x better than “best practices” to stand a meaningful chance and you are not finding that amongst the charlatans in the big cybersecurity players.

[thefourthchime]

“ They won't make the same mistake twice and will build a comprehensive cybersecurity program, and it will succeed. Up until someone questions this cost and they forgot what they are paying for because everything was so smooth and repeat the cycle.”

You couldn’t have said it better.