Six Reasons to Spend on Security Today from PCI, HIPAA and SOX perspective

1. It was to protect us from viruses and then from the internet.
It's gotten a little more complex since then. There are a few common answers to the question of "why to spend." In examining these answers, it is important to remember that different types of companies have different needs, so different answers may make sense. The question of how to allocate resources scales from poor to rich, and from small to large. Either in time or money, the issue of allocation is common, even as the answers vary widely.

2. Loss avoidance is a great reason to spend money on security, but this raises important questions.
First, how much money could be lost, and how? Second, will security spending realistically prevent the loss? Will it do so consistently, or only sometimes? Later in this chapter we will describe why these are very difficult questions to answer in the absence of good data about what goes wrong. Specifically in this case, we don't have actuarial data like insurance companies do.

3. Monetary loss is damage to reputation or brand.
We have good evidence that the share price of a company that discloses a breach recovers within a few days. Contrary to expectations, few customers leave. Nevertheless, the immediate cost and distraction of dealing with a breach can justify spending on security.

4. Enable a new business process.
Some new processes carry such obvious risks that, without security, they could never be launched. An example is selling stock over the internet. The new process is no doubt expected to make lots of money. But the process might also expose the business to risk, so spending money on security might be considered appropriate. Spending money on security analysis early, to find and address risks, is usually a better choice than spending money later on "mitigating technologies" or "compensating controls." If you don't know and can't easily discover what your risks are, it's likely that other people will find them and start exploiting them.

5. Some business processes require compliance with externally imposed standards.
For example, if a company wants to accept credit card payments, it must comply with Payment Card Industry (PCI) standards or Health Insurance Portability and Accountability Act. A fast-growing thicket of laws concerning security, privacy, and operations regulates corporate behavior. Complying with the law has been one of the fastest-growing reasons to spend on security in recent years. Some of those laws impose fines and even jail time for noncompliance, so compliance spending has been viewed in some cases as "spending to keep the CEO out of jail."

In the United States, information security law is mostly sectoral, covering finance and health. The Sarbanes-Oxley Act, often simply called SOX, is the broadest of these laws. It imposes new levels of due care in record keeping by public companies. If the computers that records are stored on are insecure, how secure can the records be? SOX has been a boon to compliance departments in U.S. companies and those that list on U.S. stock markets, because SOX is often seen as a blanket reason for spending. Unfortunately, compliance spending has often been accomplished through diverting security funds. SOX controls that are constructed only to allow an auditor to "check a box" are unlikely to be very effective.

Some privacy laws in the U.S. are sectoral (covering finance and health, but also more mundane areas such as video rentals). Others are broader in scope but more local. For example, California has laws that impact any company that stores certain data about a California resident. California Senate Bill 1386, which we discussed in Chapter 4, provides a good example of how justifications can overlap. Spending here can protect a brand while avoiding the costs of notifying customers about a breach. Other places have stronger data-protection laws, such as the European Union's Data Protection Directive and Canada's PIPEDA. Companies affected by these laws must spend money to comply.

6. National security Issues
Such as the identities of spies or nuclear launch codes. Other times, the obligation has to do with the mandatory nature of the data collection and the social contract that surrounds it. It is worth noting that in government, there are no competitive reasons to spend on anything per se (including security), because there are no competitors. Governments rarely "go out of business" because of mismanagement. For a business or individual to switch to a new government is much more challenging than it is to switch to a new ISP. Two other notable motivations affect a government body: avoiding investigation and maintaining a sufficient level of trust such that most citizens won't lie to them. One of the worst things that can happen to bureaucrats is being brought before the legislature for an investigation. Such investigations can paralyze an agency (think of Iran-Contra, the Clinton scandals, or the corruption investigations into associates of Brazilian President Lula da Silva). Incidents of government employees being jailed for incompetence or malice seem to be quite rare, even when incompetence, sloth, or malice have an impact on people's lives. When government agencies are seen as untrustworthy, people avoid them, lie to them, and otherwise prevent them from doing their job. This can be seen in the black markets that exist in corrupt economies around the world. The same sorts of issues that make it hard for consumers to evaluate the security posture of a company or a piece of software can apply to a citizen trying to evaluate a government. The added interference is that the government can classify a problem, making it illegal to disclose or discuss. If people believe that their data will be unprotected, they may choose to lie to protect themselves. Data security concerns can then play into data quality, and governments may choose to spend on security for this reason. As we write this, Congress gives the average American federal agency a D grade for information security management. When some agencies start to improve, this may also motivate others to do the same.