knows, we won’t get in trouble!” ✦ This is behind attempts to hide breaches behind attorney-client privilege. It’s why breach-reporting laws exist! ✦ It’s garbage humanning anytime people could be hurt because of the incident. ✦ The coverup, once exposed, will be hugely worse PR than the actual incident was. Guaranteed. ✦ It’s also hard to put resources into fi xing something that nobody’s admitting happened. ✦ Super-common thing: infosec sta ff see vuln, ask for resources to fi x vuln, get told no. Attack exploits vuln, gets big press, org blames/silences infosec sta ff . ✦ Infosec sta ff 1) leave, 2) blow the whistle, with receipts. This doesn’t improve matters for the org, to say the least. Example: Fairfax County Schools ransomware attack, 2020.