3) Only Bad People are Bad
Causal hackers arent the real threat. Hackers actually help trip landmines that are waiting to be exploited.
The real threats are organized hackers (think terrorist cells or enemy states) who could cripple our infrastructure, utilities and communication systems. Real threats are insiders who already have access and know where the crown jewels are. Companies focus on hackers but that is the wrong assumption. And they always forget that its their poorly-written software that allows the hackers to exploit them in the first place. Fix the problem (bad software) and you mitigate the threats.
4) Security ROI is the Beacon
A recent Gartner survey noted that 25% of organizations are looking for a specific return on investment from information security investments. An additional 27% view it as a cost or risk avoidance investment, leaving only 48% of organizations that view security investments as a cost of doing business.
Until organizations let go of the desire to measure security ROI, they will never be satisfied with any investment therein. Your applications and data are liabilities, not assets. They are information security risks and liabilities that need to be mitigated, not exploited for ROI.
If companies thought about their applications as threats or liabilities instead of assets theyd treat them a lot differently, from conception through development and deployment. Think of security investment like an investment in term life insurance you are mitigating risks associated with a liability, your mortality. We dont die every year, but does that mean term life insurance is a bad investment?