Security is a cost centre

Investopedia defines a cost centre as a department/ function within a company that doesn't add to profits, but needs money to operate. e.g., human resources, accounting, admin/ housekeeping, etc.

They also define a profit centre (in the same page) as a function/ department that adds to profit by their actions. examples include sales, business development, activities directly related to a company's primary line of business, etc.

In most of the companies, information security is implemented because some regulation/ law/ customer asks for it, lest they lose their business/ customer. Companies whose shares are traded in public, banks, insurance companies, etc. are examples of some organisations that have some security related mandates to follow.

The only place where security is a profit centre is in a company that provides security services or products. In those companies, the function is directly related to their primary line of business.

It is a cost centre everywhere else.

Every CISO knows it, then why am I talking about it?

Because 'yad bhaavam, tad bhavati' (as the intention, so you shall be).

Later...

At the intersection of pentest, auditing, risk management and career advice. Musings based on real experiences, not theory. All infosec, mashed up.

‎Follow the Risky Context channel on WhatsApp (if WhatsApp is your thing. Your number is not shared with others when you connect to my channel): https://whatsapp.com/channel/0029VaDqrFU8aKvQohD5nq0r