- Compliance - to comply with internal or external regulations
- Compelling Event - a response to an incident (typically a breach)
- Competitive Advantage - as marketable a to their customers
- Due Diligence - demonstrate some effort
- Compliance --> 50%
- Compelling Event --> 30%
- Competitive Advantage --> 5%
- Due Diligence --> 15%
I've rambled and ranted for and against compliance in past conversations; and I think this illustrates my point even further. Now, I know these aren't scientifically accurate numbers but based on experience most of the customers I've dealt with over the most recent 12 months have been driven to purchasing products & services because PCI says so. They're not actually interested in better security, they just want to do the minimum amount of work that allows them to check the box, and move on.
I have gotten many frantic, panicked calls over the last several months from people who read my blog and figure out where I work and want to evaluate (as an example) web application security tools because they've had some incident they can't tell me about... but it's clear they're about to be audited or fined by some regulatory body and they must demonstrate they're trying to right their ship... like yesterday. This rarely goes well because the intentions here are to fix (as Arian Evans pointed our recently on the WASC mailing list) a single instance of what troubles them.
I've had the pleasure of working with 1 (yes, 1... in 12 months...) company who I cannot name that has started a comprehensive security programme to then use that as a marketable competitive advantage. Whether this is will be a straw man dressed in fine clothes... that is yet to be seen.
Doing due diligence work is tough. There is a fine line between being able to say "we've done something" and "we're confident we have mitigated our risks appropriately" - not surprisingly most companies go for the former. Due diligence is all about demonstrating that you've done "what is necessary and proper" - which sucks because it's always left to interpretation. Who gets to say that you've done enough?
In the end you'll probably by now realize that there is no option #5 - "To Be More Secure". Maybe it's today's economic climate, maybe it's that we're still selling life insurance to a reckless youth, or maybe we simply can't measure our own success... I'm going to go with all of the above for a thousand please, Alex.