Mitigating risks … is a waste of money?

There was an interesting talk at one of the panels at the RSA Conference, where SilverSky and Adobe claimed that investing in security is a waste of money. Their message is simple and compelling:

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

Although they say that this was all in pretense, we all know it was not, companies large and small try to avoid fixing problems as long as they can, waiting for customers to complain loud before ever doing anything. Basically, this is a risk that companies rate as unimportant because of its low perceived rate of occurrence.

The problem with this kind of risks that they cannot be properly rated. The probability of these risks is hard to rate because the data is basically unavailable. And the impact of the risk is underrated because of low perceived probability. People tend to ignore such risks.

But the companies, can they also afford to ignore such risks? What has to be considered is that a serious security problem may easily put a company out of business. Even if the company stays in business, the impact to the image of the company may be such that it will take several years to recover. These risks are what typically called “existential” or “terminal” risks.

X-risk_chart

Companies, for the most part, must account for and mitigate certain risks that would place them out of business. Doing otherwise is called gambling and is totally irresponsible towards the shareholders.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *