I am looking now into arguably the hardest problem of security: how to make it pay off. Security is usually seen as a risk management tool, where increasing security investment lowers the risk of costly disasters. But the trade off between security and risk is hard to evaluate and there is a bias for ignoring the rare risks.
We keep talking about costs, if you noticed. We lower costs, even not actual costs, but potential costs, and we do not increase the revenues here.
For example, when we talk about some product we can look at improvements that would get us more of the following to improve the bottom line:
- Acquisition – getting more users or clients
- Activation – getting the users or clients to make a purchase
- Activity – getting your users or clients to come back for more
Can security demonstrate similar improvements? To move from cost cutting to revenue generation? Share your opinion, please!