As is often the case with quick blog posts, a bit of reflection before posting could have added some clarity to my last one, The true cost of non-compliance is ZERO* .
As far as “things going wrong”, the trigger for pushing the cost above zero may not simply be “suffering a breach”, but is more likely “suffering an incident which is so bad we have to deal with it”. Again, not a happy thought, but one we must accept if we want to make progress. I am tempted to opine that this is especially true in small to mid-sized organizations, but I am repeatedly reminded that many large enterprises are just really big small businesses, so I’ll refrain from that.
Andy Ellis pointed out that there are costs, specifically internal reputational cost, which I missed. Andy is smart like that. that means hiring and keeping good people will be a problem, as will other things that can accompany morale issues. They are hard to measure though, and are often overlooked until they reach a crisis stage- which I guess would qualify as “something going wrong”.