If you've talked with me much about security, then you've heard the phrase, "Nothing sells tires like nails." I use it all the time. It's been written on my white board in the office for a long time. But, why? I grew up near an old country store. The guy running the store made his money selling tires. He attracted customers, mostly farmers, by having a good supply of snacks along with a few seats around a heater in the back of the store. Everyone knew everyone. Small town. The farmers would sometimes give the store keeper a hard time. They would playfully accuse him of throwing debris on the road out in front of the store when business was slow. He would jokingly respond by saying, "Nothing sells tires like nails."
I heard this phrase many times in my youth. As I got older I found this principle applies to many things and especially to security.
How many times have you bought tires because they were cool or sexy? Probably not many unless you are really into cars in some way. Most people buy tires for one of two reasons:
- A blowout - Think security Breach
- Failed inspection - Think Compliance
Security is pretty much the same way. Companies tend to spend more on security when they get hacked or they fail an audit. This may sound sad, but it is true. Companies manage risk and spending in many areas. Security is just one of them.
Security folks would do well to keep this in mind when both running and justifying a security program. No manager wants a big fail on their resume. Be truthful, realistic, and keep in mind why companies typically decide to spend money on security (or anything really). This will help you scope the type of information you report up the management chain.