I don’t think any business is going to buy into security as a core competence unless you can demonstrate to management that they’ve lost business directly because of a lack of security. And even then, it’s an incident around lack of security that’s more likely to get action rather than the idea of being proactive about security.
I can’t speak to to the business world as a whole, but in my experience Martin is right. More specifically, it will take many many incidents for a company to understand that this is not just a point issue that can be addressed with one patch.
Martin also talks about using the sales team to your advantage:
If your company does operate in an environment where security can be used as a sales tool, think about incorporating your sales department in your efforts to push security up the ladder. If you have your VP of Sales talking about how how security will allow them to approach a market they haven’t been in before or get a sale they missed last year, management will see the dollar signs. It’s probably a lot healthier way to sell security in the organization too.
On a similar vein, use your customers to your advantage. Find out who the biggest customers are and contact the security organizations at those companies and ascertain what their specific concerns are and assist them in making their concerns known. Make yourself an evangelist for the customers. Undoubtedly, if you see issues with the product being sold so do your customers and they just don’t know who to talk to in order to make those concerns known.
Update: I closed a tag on behalf of Arthur. cw.