My vendor experienced a major breach — should I continue with them?

I tend to look for the indicators of security maturity that a breach uncovers. That usually goes to how crisis communications and response get handled after the fact if there's some big incident, like the Okta compromise. In Okta’s case, the initial information that came out could have been better. I don't think we'll ever know whether they were operating on incomplete information or whether they were being deliberately evasive. But to their credit, they turned that part around once they got to the point where they felt they had all the right information available. Once they were able to gauge where people needed additional information, they provided it. Even if the initial aftermath was a bit bumpy and they didn't have their playbooks all ready to go before there was an incident, their recovery indicates maturity within the organization, which I take as a good sign in general. It's not everything and it's not nothing; it's just one of those data points you can pull out.

In the context of a bounty program, when an organization first gets their code hacked by someone from halfway across the planet, it's like they finally realize that the bogey man's real. That moment is often the first time someone goes through the emotional experience of being breached and from there, there’s an internalization of the fact that bad things can happen. It tends to end up being a productive event, so breaches can have that same effect. As long as there's maturity within the organization to receive those learnings and do something with them.

It comes down to how they handle it. Just because one company was hacked doesn't mean the competition won't be hacked. The question is, how did it happen and how did they respond to it? How transparent were they?

If companies can take these expensive breaches and make themselves better from it, then you stick with them. RSA SecurID, for example, seems to have recovered quite well from the incident they had years ago. And when it comes to switching vendors, it’s one thing if you’re a 300-person company, but if you have 10K employees, the cost to switch and modify all the applications that have embedded authentication is a massive undertaking. That's another thing to consider.