The Wall Street Journal today, reports on attacks on US power grids – well not actually attacks, but infiltration. Apparently someone has gained access and has left evidence. It would be ignorant to think that this is the first time anyone has figured out how to access these systems or to think that we can always detect unauthorized access. The truth is, US infrastructure is connected to power grids, nuclear facilities, and other critical infrastructure and a disruption would not be difficult. Will 17 billion dollars of stimulus money fix the problem? Only if those working on the problem really understand security (reference an early post about government contract workers and their lack of security expertise).
Using risk to drive new projects is powerful because it is urgent and because even the most sensitive systems are accessible when not properly secured. It makes sense for every company to be measuring risk and for these assessments to be done on a regular basis. Stop asking companies if they need security, and start showing them where they are vulnerable. The linked WSJ article is just one more sound bite to drive home your point.