Someone from security team explained why security is so important, I cannot post original presentation or words here but the rough idea:
If security issues cause 25% loss of our revenue, it will be $250K when we make $1M, and it will be $250M whenever we reach $1B revenue, so we should keep improving our security figures, like reduce the loss from 25% to 0.25% so we will “just” lose $2.5M when we are at $1B.
Makes sense, right?
Not exactly to me especially thinking how security team deal with “improvement”, they tend to make changes without notifying teams being affected, they roll out new stuffs without discussing with teams being affected, they are running in “god mode” that nobody can challenge them and/or change their decision.
Let me make a similar statement:
If security issues cause 25% loss of our revenue now and 0.25% loss in a year, with the impact that our revenue growth 1000x to 10x, our revenue in a year, subtract loss, will be $9.975M instead of $750M, is that a good deal?
Neither is perfect, security is about balance, I’m not a security expert but I think the most secure system is that has no functionality, store zero data, and offer no interface to access it, in this way it will not be breached, data will not be leaked, and so on. Is that secure enough? Yes for sure, but is that what business wants to be? Not at all.