No. Absolutely and unequivocally not. I am drawing the line in the sand. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).
Properly implemented information security provides business process improvement, technology improvement and threat reduction. Compliance controls that cover each of these areas to accepted “best practices” will save your organization money by the truckload and provide for expansion of your business tenfold if not more.
Far too often businesses require “measurable” savings when the cost reductions and business enablement is as obvious as a freight train hitting you while you are siting on the tracks. Below I will detail a simple walk-through of a compliance driven organization versus a non-compliant organization which makes it obvious that it is better and more efficient to be compliant as a business.
Security background checks eliminate the need to wade through candidates that cannot be trusted for sensitive positions saving on hiring costs.
… and much more
Firewalls clearly reduce un-needed load on the network saving bandwidth costs
Anti-Virus software has clear cut costs (that happen to be measurable) in saving response times from IT helpdesk personnel
Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach
Data Loss Prevention software clearly enhances control of data for eDiscovery legal processes, managing information and backup/recovery of that data into single repositories not to mention enforcement of where that data goes (saving intellectual property)
Encryption clearly reduces costs by enabling collaboration with third parties (in fact it enables all businesses on the internet to do payment processing) something we sometimes forget.
Virtual Private Networks (VPN) enable remote access which means workers can work after hours or remotely while traveling (FOR FREE!)
Banks offer employees online access directly from work (the old days you had to leave work to go to the bank)
Risk & compliance means that systems are patched and maintained all in a similar fashion with similar configurations which leads to huge troubleshooting time saved since systems are less customized individually.
Customers are now able to interact with companies quicker and more efficiently than ever when these security controls have been put in place.
…and much more
Lower reporting costs for disclosure laws
No bad PR to respond to
Lower liability to your customers
Less outbreaks of worms/viruses (less system damage repair/replace)
… and much more!
A non-compliant company GAINS: NONE OF THE ABOVE
So for the finance geeks out there, yes I know you want metrics and pretty charts to make management feel good but a good business leader needs no justification to do to the right thing. Its just clear that a compliance driven company which employs security technologies properly is a much more lucrative business model than to ignore the problem (PROBLEM SOLVED).