People often miss one of the biggest selling points of information security--cost reduction. This is one of the problems with comments in a recent article at Dark Reading. It reads, in part:

Most mid-sized U.S. firms rate information security as a higher priority than reducing business costs, according to research released this week by services specialist Arrow Electronics Inc. The survey of 200 U.S. companies revealed that almost 80 percent of firms rate security as a top business issue, compared to 69 percent who cited ‘cost reduction,’ and 64 percent who listed improving customer service as their major concern. [...] “These findings affirm what we’re hearing from our business partners who are on the front lines with midmarket companies, the fastest growing sector of the economy,” said Mark Taylor, general manager of Arrow’s midmarket group in a statement released yesterday. “Information Security offerings are a top priority.” These sentiments were echoed by the IT user community. “I think that when it comes to losing data because of viruses, hackers, or other threats, that definitely is a top concern, and I would agree with the Arrow survey, [security] outweighs cost concern,” wrote David Vellante, co-founder and principal contributor of the Wikibon user group in an email to Byte and Switch. “These are often fast-growing enterprises, and while they’re cost conscious, they often can’t get the leverage a big company can get out of cost-cutting measures.” Source: Survey: Mid-Sized Firms Shape Up for Security, James Rogers, Dark Reading, 22 August 2008

I disagree with assertions that SMBs can't realize cost savings from security controls. Failing to frame security within the context of business objectives, including cost control, is one of the biggest reasons senior managers refuse to allocate revenue for network security efforts. Let's start with the maxim that security is an enabler. Security, properly balanced with operational objectives, helps ensure continued delivery of information services. It isn't hard to find anecdotal evidence of what happens to SMBs infected by malware or careless with customer/employee data. Building a quantitative case for managing these risks is relatively easy. It's as easy or difficult as selling the CEO on purchasing insurance to cover other eventualities. Then there's business continuity, one of the often overlooked security domains. Yes, many organizations know that disaster recovery (DR) plans are a good idea, but how many actually take steps to ensure system and data availability. And what about data integrity, the "I" in the C(onfidentiality), I, A(vailability)of security. Failing to properly segregate duties, implementing weak access controls, or blowing off annual third party risk assessments might seem like a good idea in the short term. But how many SMBs can weather a serious compromise of investor/customer trust or good will without ending keel up? A business case can be made for SMB allocation of security budget dollars. It's up to internal IT management to understand risk well enough to build an effective proposal. Security managers in large companies have already learned this lesson.