by The recent announcement of a third major retailer that has lost credit card information drives home several points I've tried to make over the years. Security cannot be an afterthought. Some of the complaints I've heard many a time is that security "gets in the way", or "doesn't make money, we can just absorb the cost."
The first one irritates me more than most, because it shows a casual disrespect to security that is outright dangerous. Yes, badly done security is pointless, and I'm in line with everyone else to gripe about it, but I gripe because of security theater, not because it just gets in the way. Good security has to get in the way of the attacker and will cause some pain for developers and system administrators. The separation of duties requirements are a classic example. Requiring authorization of appropriate people before granting access. Validating that accounts on a system should be there. Yes, it gets in the way, but it is just good sense to do it.
The second one, I don't know how to solve yet. Most companies say that they just can't afford to do security correctly. It's not true, but until they are willing to take the time to bring in experts, they'll consistently do it wrong — usually. I did see once or twice a shining example of a small business that did security right, but they stand out because they are so rare. Large companies, many times, truly can just eat the cost and hope they aren't broken into too often. Or they pay for the security for the last break-in, ignoring the next one that is obvious. Some day, maybe I'll learn how to argue it, but for now, I rely on published audit standards, like PCI and HIPAA and so on. Some of the others are too vague or high level to be useful (SANS Top 20, some NIST publications). Yes, concreteness has issues, but it's the only way to truly push back against some monumentally bad ideas where people truly don't understand how it creates a security hole.