Where are you on the normal curve of information security?

I recently was goaded into joining the IT Policy Compliance Group so I could read their research report entitled Taking Action to Protect Sensitive Data.

Adam has already questioned the veracity of the 8% drop in revenue claim. And I agree with that point. Seems unlikely that it can be measured, yet I happen to believe that it is true. What also struck me (slowly) was the normal distribution of companies:

]

• About one in ten—twelve percent—organizations are experiencing fewer than two losses of sensitive data each year
• The vast majority of organizations, almost seven in ten—68 percent—are experiencing six losses of sensitive data annually
• A fairly sizable two in ten organizations—twenty percent—are suffering from 22 or more sensitive data losses per year

and that knowing where your company is on that normal curve can provide an information security professional a lot of firepower in promoting more investment in information security. If your firm had 2 or fewer breaches in the last twelve months, you're probably doing ok. If you have had 2 breaches in the last 2 months, you're probably going to get in big trouble over the next 10 months and you should take that information to your bosses. If you don't get the support you need, you may want to start looking for work elsewhere because:

• You can be almost positive that there will be more security violations;
• You'll be held responsible for those violations, unless you can CYA;
• I'd bet that their revenue will go down. Companies that can't do information security well also can't do other things well and that means that any hiccup along the way will have bigger repurcussions.