Monday, February 28, 2011

So I missed a point or two…

As is often the case with quick blog posts, a bit of reflection before posting could have added some clarity to my last one, The true cost of non-compliance is ZERO* .

As far as “things going wrong”, the trigger for pushing the cost above zero may not simply be “suffering a breach”, but is more likely “suffering an incident which is so bad we have to deal with it”.  Again, not a happy thought, but one we must accept if we want to make progress.  I am tempted to opine that this is especially true in small to mid-sized organizations, but I am repeatedly reminded that many large enterprises are just really big small businesses, so I’ll refrain from that.

Andy Ellis pointed out that there are costs, specifically internal reputational cost, which I missed.  Andy is smart like that.  that means hiring and keeping good people will be a problem, as will other things that can accompany morale issues.  They are hard to measure though, and are often overlooked until they reach a crisis stage- which I guess would qualify as “something going wrong”.