When I first started writing about security, one of the big motivators for enterprises to implement strong security measures was to guard their precious reputation among customers, suppliers and partners. As the logic goes, if you suffered a security breach or incident, your reputation would be damaged and people would be less likely to do business with you. Back then, a security breach was something as mundane as a virus infection, much less a major hack that resulted in millions of credit cards being compromised.

Protecting corporate reputation remains a strong motivator among the security set. In a recent security survey conducted by Channel Insider and CompTIA, 50 percent of solution providers say their customers fudge security reporting to protect their corporate image. During a panel I moderated at CompTIA's Breakaway last week, panelists and audience participants cited several times the need to impress upon end users that their reputations could be damaged if they don't take steps to guard their data and infrastructures. One of the panelists even cited TJX as an example of how badly a company's reputation could be damaged by a major security breach.

Bear with me, but I'm going to jump back and forth between the past and future.

Let's start back in the early 2000s when reputation actually meant something. CD Universe was often cited as the poster child of reputational damage caused by a hack. The online music retailer was breached and had “thousands” of credit cards stolen. Within months, CD Universe—the one-time leader in online music sales—was no more, presumably because the incident eroded customers' faith and they flocked to competitors.

Fast forward to 2007, when TJX—one of the nation's largest retailers and parent of chains such as Marshalls, Home Goods and AJ Wright—disclosed a breach that lasted more than two years and compromised more than 94 million credit card records. In this case, TJX—a company subject to the PCI-DSS credit card industry security standard—willfully ignored the need to upgrade its wireless encryption, which allowed former employees to enter the network and plant Trojans that leaked a steady stream of payment records.

In the last decade, several major brands and recognizable organizations have suffered massive security breaches: Wells Fargo, Citibank, ABN AMRO Mortgage Group, Network Solutions, AIG, Marsh Insurance, Kaiser Permanente, T-Mobile, Boeing, Johns Hopkins University, Certegy Check Services, Fox News, Monster.com, TD Ameritrade, The Gap, Hannaford Bros., Compass Bank, Bank of New York Mellon, University of Miami, University of Utah Hospitals and Clinics, Countrywide Financial, RBS WorldPay, CheckFree and Heartland Payment Systems. According to the Privacy Rights Clearinghouse, more than 263 million individual financial and identity records have been compromised over the last four years.

Not one of these companies has gone out of business as a result of their security breach. In fact, few have suffered any lasting reputational damage as a result of their security breach. TJX, the largest known security breach to date, cost the company more than $230 million in fines and remediation costs. In the year following the breach disclosure, TJX's sales and stock prices were actually up, showing that consumers favored affordable goods over security concerns. Some might argue that consumers were more cautious about how they were paying for goods at TJX stores, opting for cash over credit cards. Even if that's true, a shift toward cash payments actually benefits retailers, since they don't have to surrender payment fees and commissions to the credit card companies.

The federal government has dozens of agencies and tens of thousands of professionals dedicated to the security of its networks. Yet, federal agencies are among the worst offenders when it comes to security breaches. The Department of Veteran Affairs is in the top five of all-time worst breaches after an employee's laptop was stolen; it contained the identity records of more than 26 million current and former military personnel. Despite annual grading of security posture mandated by Congress, federal agencies consistently fail to make even a passing grade. And rarely do you hear anyone express concern about handing over sensitive data to the government (at least in the context of IT security).

Experience has shown that the markets, consumers and business partners are either very forgiving or conveniently forgetful about security breaches. Several of the companies on the security breach list have bad reputations among business partners and consumers, but breaches are rarely cited as a concern. If you think Countrywide or AIG, for instance, you'll probably express mistrust about financial stability and the subprime mortgage crisis long before citing security concerns.

This isn't to say that business partners aren't concerned about security postures. In fact, many companies—particularly in financial services and pharmaceutical industries—impose stringent security requirements on business partners. But as long as current postures meet the security standards and a company can demonstrate that it has corrected past mistakes, it's usually allowed to engage in business. My father drilled into me as a child that people are only as good as their last mistake. The security record shows that, in truth, businesses are only as good as their next potential opportunity.

Don't mistake what I'm saying as a viable excuse to ignore security. Businesses and consumers require security—or at least the appearance of security—as a prerequisite for engaging in business. For instance, no one would use online banking if the padlock didn't appear in the browser indicating that an SSL encryption session was initiated, even though packet sniffing attacks are fairly rare. Companies would think twice if a business partner didn't have a perimeter firewall on their network, even though many attacks now happen at the application layer. And no one would offer or use a service that didn't at least have password access protection.

Of course, regulatory compliance is a big factor for security. Some people would argue that corporations would forgo many of their security measures if it weren't for legislation such as Sarbanes-Oxley (corporate governance), HIPAA (health care), GLBA (financial services) and California SB-1386 (data breach disclosure requirements).

Good security practices are more about protecting assets, enabling business processes and mitigating the potential damage caused by a breach. With each of the breaches listed above, there were real costs associated with correcting the damage. In cases where data and resources are destroyed, the costs of restoration can be enormous. And beyond identity theft, the loss of proprietary data—such as product development and designs—can result in millions—if not billions—of dollars in lost opportunity. These are the real reasons for having security, and what security solution providers should impress upon their customers when engaged in security assessments and planning.

Reputation, well, that's something that comes and goes, and security is just one of the influencers.