While security is the most important thing to us, in spite of the self-deluding analysis we receive, it truly is not the most important thing to business. The most important thing to business is profits, followed closely by revenue. Dotted lines and potential liabilities are all fine and dandy. But at best organizations put a small (3% to 4%) of their budget into security. If something only is taking 3 to 4 percent of your budget, it probably only gets 3 to 4 percent of your time and attention.
This is the sad truth that a “mature” industry like ours has to realize. Until the problems and threats are felt by the business owners to warrant more than 3 to 4 percent investment, we are not going to see a radical change.
-- Alan Shimel, co-founder of The CISO Group