“They are not taking security seriously.” This is a common refrain from security practitioners when talking about, well, just about anyone not in security. Most often it is directed at managers and executives in the “business” or “operations” division in any given organization. You know: where money gets made and how people get paid. Whenever a security problem arises that would infringe on operation’s ability to make money, the business executives put the kibosh on whatever fix would address the problem and ‘accept the risk.’
The security practitioner will try to present data to help bolster their case. Some recent bits that they might use:
“Consumers lost an average of $1,800 last year in Internet crimes and a total of $535 million overall, according to the Internet Crime Complaint Center's annual report on consumer complaints it received in 2012.”
“In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of A.T.M.'s in a matter of hours.”
Most business executives are not scared by these kinds of statistics. Why? Because getting robbed doesn't really impact the top-line; improving security definitely eats into the bottom line.
Consider the massive ATM hack mentioned above. The money quote is related to the amount that was stolen, but not in the way you think:
“The U.S. accounts for about a quarter of the world’s card spending but about half of the world’s card fraud. The odd $45 million here or there doesn't make much difference to the overall calculation,” says Dave Birch, a director at electronic transactions consulting firm Consult Hyperion.
“It boils down to the lack of a business case that is based purely on security.”
Basically, getting robbed sucks, but getting robbed of the loose change in your sofa doesn't merit dropping thousands of dollars in a new home alarm system and a pair of highly trained Dobermans.
I wrote about this same problem, albeit from a different angle, before. The bottom line then and now is the same: security that isn't in sync with the core business is never going to garner respect, or accomplishing anything meaningful. If you want to spend the rest of your life as a digital janitor, cleaning up after other people exploit yesterday’s engineering mistakes, knock yourself out, just stop complaining about the fact that no one wants to hear about the problems with your mop bucket.
This is not a dig on janitors. Janitors (particularly digital ones) are not stupid, but their input on strategies to improve revenue generation or grow a business aren't particularly well informed. Now, if I had a business goal to cut costs, and the janitor came to me and said, "Boss, I've got a way to keep the floors and carpets just as clean as they are now, but it'll take half the time to complete the job and cost 2/3rds as much as it used to," I'm going to listen to that man because he's credible (talking about his area of expertise) and he's making a meaningful contribution (to the business as a whole). The more security practitioners start to think about how they can contribute to the business, the more respect they are going to get and the more they are going to get done. Fighting the power only works if you're a rap star: everyone else has to bend down to the god of profit.