// information

Security is not a buzz-word business model, but our cumulative effort

This is a personal opinion about security and the revenue models built around it - best read with a pinch of salt (and, while we’re at it, a shot of tequila). I’ll cover both sides of the coin: heads, where pentesters try to give you an honest heads-up on the real issues; and tails, where businesses still believe they can bolt security on at the tail end of development.

A recent conversation with a friend in information security pushed me to name the elephant in the room. He works at a security services firm that sells intelligence feeds and alerts. He told me about a case where his firm held back the right feed at the right time - even though the client was demonstrably vulnerable - because that client was on a different subscription tier. Business matters, of course. But isn’t security a collective concern? If that client gets breached tomorrow, do you just look away because they didn’t pay enough? Remediation always costs money and effort, I get that - but sitting on an alert about an attack you’ve seen in the wild, purely because of a client’s price plan, is hard to defend.

I don’t expect a utopian world where security is obvious - but we can certainly walk in that direction.

Security to a business#

Is it a domain, a pillar, or - going by the current buzz - insurance? For all the talk, information security and privacy still tend to begin where the business requirements end. Yes, there’s a genuine shift left, a push to bake security in from the idea stage, but we’re still a long way from that ideal. I’ve sat on both sides of the table: putting myself in the shoes of the attacker, and working alongside developers to understand their pain points and build a secure ecosystem together. In my experience, it’s rare for a business to care about security from day zero (which says plenty about the clients who do - and why they’re still in business). More often it’s: build this application to these requirements, sort out the revenue model and maintenance costs, and - oh - check if we really need those security add-ons, or just enough compliance to keep the auditors from knocking.

This troubles me. Why don’t we treat information security as a pillar every bit as important as the revenue model itself?

Security as a business#

I have plenty of issues with how “security” gets tossed around as a buzz-word to earn dollars, while few respect its gravity or its actual purpose. Whether it’s information, financial, or physical security, the effects on someone’s well-being are real and quantifiable. Every month I read tens - if not hundreds - of reports and advisories whose quality is embarrassingly poor. Dig into why, and it’s usually one of a few reasons: the good firms are expensive, someone’s too comfortable with their existing vendor, or - worst of all - the business neither cares nor pushes for better quality. In the end it’s treated as a plain business transaction, or a compliance box to keep the auditor happy.

A few questions worth sitting with:

  1. You ran a pentest and charged for your quality. Tomorrow that hospital gets hacked, or patients are harmed. Would you admit you didn’t put your best consultants on it because they were too expensive for the budget - that you didn’t walk the extra mile because the billed hours ran out?
  2. And you, the CEO: you want to trim security spend because a bigger ad campaign or a nicer car feels more worthwhile, and security expenditure looks dubious to you. Next time, look at how much companies have lost after a breach. Just because it isn’t urgent doesn’t mean it won’t become urgent - and by the time it does, it’s usually too late. These issues are symptoms: if you can see them, you’re already in trouble. Security rarely shows immediate ROI, granted - but don’t let it become the poster child for out of sight, out of mind. That’s a serious bet to place on your revenue, your employees, and your customers.

Having touched both sides in this short piece, I hope the message lands. Please take security seriously - not merely as a business transaction. Every time you’re on either side of it, think it through: you put your savings into a crypto exchange that gets hacked through sheer lack of due diligence; your medical records leak because someone skipped a proper pentest; your bank loses your money because it never seriously checked its own infrastructure. And if you feel untouchable because your home router is locked down, you’re living in an illusion. One last word to the firms with genuinely good consultants but hopelessly sloppy reporting: take the deliverable seriously. It’s the only window a business has into the issues - current or coming - and the only way they can plan remediation in time.

That’s all, folks. Stay safe and be responsible - security is a cumulative effort, and everyone has to stay vigilant, because you never know where the next attack will come from.