On the surface, asking why we have security might seem like a really dumb question, but humor me and answer it.
Did you answer, because you are required to have it from a compliance perspective?
Did you answer, because you are recommended to have it because of an industry standard?
Did you answer, because it helps protect our assets and our business processes?
Or perhaps you answered, because of the risk to our company's reputation if it were not adequate?
These are all good answers, but they only tell part of the story. As a security professional, and a consumer, I was hoping for a different answer. Let's put on three different hats and answer this question from three perspectives: a business, a consumer, and the government.
Business: Certainly, from a business perspective I would be concerned about my reputation. If I were constantly being breached, I would lose customers, who would choose to do business elsewhere, though Larry Walsh at Channel Insider writes that some of the largest enterprises get away with murder in this regard and may not have to worry about their reputations, even if they do suffer security breaches that are publicly known. In addition, I might pay a fine if I didn't meet certain regulatory requirements. I could also lose my ability to do business if I didn't meet my partners' and industry's standards/requirements. So, as a business owner, it is in my best interest to have the best security I can afford so I can stay in business. IT Business Edge blogger Lora Bentley sees spending on compliance as a way to save company money in the long run. But most businesses will spend whatever is necessary to become compliant -- no more, no less.
Consumer: As a consumer, I don't quite see it the same way. I want businesses to have whatever security measures are necessary to protect my interests. This might include my personal, financial or private health care data. I don't care about businesses having security for any other reason than to protect me, the consumer, the best way they possibly can, and expense should be no object. The reputation of companies I do business with better be good or I will find another vendor.
Government: The government is caught in the middle. It wants and needs businesses to protect their own and their consumers' data, but also gets pressure from industry lobbyists to ease up on regulations. For example, when Sarbanes-Oxley first came out, it was very stringent and cost businesses a lot of money to comply with. Businesses applied pressure, and requirements continue to be adjusted. As far as costs, the government does not really care what businesses pay for security as long as they don't complain about it.
So I will ask the question again, "why do we have security?" It clearly depends on whose point of view you take. I think the common thread is to protect data. Do you think that businesses actively weigh implementation costs, fines, and their reputations against whether or not to implement security measures?