Well Javvad Malik has created another awesome report taking on what taking security seriously actually looks like - both for customers and providers. Here's a little excerpt:
The “we take security seriously” line is the security equivalent of the infamous call center “your call is important to us” line. Everybody says it because that’s what you say.
Taking security seriously is not a statement to be made, it’s achieved by making security part of your process, and that’s visible to everyone. - Scott Helme
Taking security seriously isn’t measured by a solitary point in time, nor can it be boiled down to implementing a single standard set of controls. There are many factors that contribute to this mindset.
If someone says they take security seriously, they should be able to defend that statement in some manner. It doesn’t need to be a universally accepted position; it just needs to be something that shows they have put some thought into it and arrived at a logical conclusion.
Security doesn’t always need to be visible. It doesn’t need to be done for ‘show’ - a “security theatre” if you will. The problem today is that too many companies don’t think about security in earnest at all - well at least not until they get breached. After a breach, however, they all inevitably state: ‘we take security seriously’.
The Japanese say you have three faces. The first face, you show to the world. The second face, you show to your close friends, and your family. The third face, you never show anyone. It is the truest reflection of who you are.
Similarly, you could say that security has three faces. The security you show to the world, the security that is visible internally in your organization, and the third reflects how you truly feel about security - that is the real measure of
seriously you take security.