The real answer to the hiker story

Interesting analogy, heard it many times before, lots of truth in the words. But in business, it really comes down to cost:

"How much will it cost me to be secure?

It really doesn't matter that we might get hit; we might not get hit. Who really knows? And if I do spend the money on one security system, or two, or three, can you guarantee me that we'll be secure?"

That is how businesses look at it: how much will it cost me? Very few senior managers know anything more than budgets. They are interested in making sure that they are taken care of and only want to do what's needed to make that so.

I deal with this all the time when discussing security expenditures with senior managers. Only when not investing in security costs more than investing in it will these managers spend the money. This is a sad but true statement of quarter-by-quarter corporate life. Exit strategy: make the company look good for a couple of years, get a big bonus, leave then repeat at the next victim, er, corporation.

Are there better run companies that understand how to balance their infrastructure investments? Of course there are, but my experiences show them to be the exception rather than the rule.

The best thing you can do is to convince those who sign the checks that investing in security is a long term investment that's part of a never ending journey. Just as businesses grow and change with time, so do security needs. If they understand that it's a journey rather than a destination, you will have done them a favor. And if you show them the results from their investments, it'll be much easier the next time you come to them with your tin cup in hand.