Glad that was clarified, I was afraid I was "Nobody".
What the author is trying to articulate makes me wonder if he considered what security is.The core properties we mean when we say "security" are the CIA triad (confidentiality, integrity and availability). You can't tell me a "business leader" doesn't care about any of those. You have business related information that is vital for your business continuity and profitability. The confidentiality, integrity and availability are what we generally mean (not always though) when we say "security".
I'd argue that business leaders do care about security a lot. I think what the author means is "nobody cares about security for the sake of saying you're secure", but even then, business leaders do care about theatrical security, because it helps them sell their products and services. "we have a state of the art, military grade, encrypted cybers, unlike the competition". There are even popular and profitable security vendors whose main service is rating the security posture of companies, so that when you do B2B you avoid poorly rated businesses that won't protect the data you will share with them.
Security for individuals is a different topic than businesses, it's almost a different ballgame altogether.
Use APTs as an example, should some mom&pop small/medium size business care about them? Certainly not. They should care about ransomware though, because chances are, they can't afford the downtime and ransom payment. Should a defense contractor business care about APTs? yeah, like all of them and then some.
Those are great points. And what you're saying is why I used the "nobody cares about backups" analogy.
It's NOT that nobody cares about the results of security. It's that those results ("not losing our sales database")are often not presented clearly or coherently enough for the decision makers to recognize the value of the activity ("doing regular backups, paying for offsite storage, etc.")
No, I think I get you. my point was, unlike backups, security is formally defined as those results. it isn't just the decision makers but the technical professionals that don't get what security is. if you design a database, you probably care about the type of security (which is just secure coding/design) you said nobody cares about, but if you admin a database, then security is all about protecting the data that will impact the business in a meaningful way. i.e.: even if it contains a meaningless data, an exposed db on the internet can impact reputation and potential revenue. or if it's a DoS attack, the availability of the service provided will be impacted (a security property).
To sum it up, what business people think about the term "secure" in terms of computer information is "The data we need for business has confidentiality, I can rely on its integrity and it will be available when we need it for business reasons". They may not necessarily be concerned abut quantifiable and/or short-term profits. appearances, morale, ability to recruit new hires, come up with new solutions/products better than the competition can, because the systems we use are reliable and secure with less hoops to jump through because of "security theatrics".
Glad that was clarified, I was afraid I was "Nobody".
What the author is trying to articulate makes me wonder if he considered what security is.The core properties we mean when we say "security" are the CIA triad (confidentiality, integrity and availability). You can't tell me a "business leader" doesn't care about any of those. You have business related information that is vital for your business continuity and profitability. The confidentiality, integrity and availability are what we generally mean (not always though) when we say "security".
I'd argue that business leaders do care about security a lot. I think what the author means is "nobody cares about security for the sake of saying you're secure", but even then, business leaders do care about theatrical security, because it helps them sell their products and services. "we have a state of the art, military grade, encrypted cybers, unlike the competition". There are even popular and profitable security vendors whose main service is rating the security posture of companies, so that when you do B2B you avoid poorly rated businesses that won't protect the data you will share with them.
Security for individuals is a different topic than businesses, it's almost a different ballgame altogether.
Use APTs as an example, should some mom&pop small/medium size business care about them? Certainly not. They should care about ransomware though, because chances are, they can't afford the downtime and ransom payment. Should a defense contractor business care about APTs? yeah, like all of them and then some.
Context and nuance are important.