That sultry, sexy, "shh."\nWe've all seen it over and over and over again during the past month.\nThat "shh" promised sex and security. It looks like Ashley Madison didn't deliver much of either.\nExcept for the sordid stories that keep Ashley Madison in the news, there is really nothing notable about the Ashley Madison breach. We are swimming in a sea of data breaches. They've become so routine it takes sex and scandal for anyone to notice.\nWith so many data breaches over the past several years, you would expect companies (and governments) to do something about them.\nBad publicity. Large fines. Lawsuits.\nYou'd expect action. You'd expect changes. But no...\nYes, we do get columns from horrified pundits, breathless press releases from security startups seeking funding, but, at the end of the day, no change.\nJust another round of data breaches.\nData breaches need to matter more\nAshley Madison had to have known the site was at risk. A breach at Adult Friend Finder was announced in May of this year. Sensitive information on 4 million current and former Adult Friend Finder customers was outed.\nCompanies are (usually) rational. When there is a problem that isn't getting fixed, it probably isn't that big a problem.\nAnd that's where we are with data breaches. The evidence is clear. Data breaches just don't matter much.\nThe worst case reported costs for the recent major breaches at Target, Sony, and Home Depot were estimated at between 0.01% and 2% of annual sales.\nFor example, the massive Target breach cost the company $252 million. That sounds serious until you consider that the cost per breached customer was at most between $4 and $5.\nAnd that's before insurance and tax deductions.\nIt's closer to half that. Spread out over years.\nSo it's just a blip -- if you look at data breaches as IT and PR problems.\nBut they're not: They're a real business problem.\nSoft costs, hard numbers\nThe problem is that the math is a bit off.\nThe reported costs are the hard numbers for the companies to "restore their IT systems" and pay fines, penalties, and lawyers.\nBut the hard costs are small compared to the soft costs, much less the costs for their customers (a topic for another day).\nBack to Target\nTarget had a terrible 2014. The massive data breach hit just in time for the holidays at the end of 2013:\n\nApproximately 10 million fewer customers in January 2014 compared to 2013.\nFinancials for 2014 were anaemic to grim, with its diluted earnings per share shrinking by 8.8 percent (compared with 3.4 percent shrinkage for Walmart).\n\nLooking at it another way, it was a reduction of around $600 million in EBIT (-12.6 percent).\nDiscount that loss any way you want, but those numbers are real.\nAnd they're not covered by insurance or deductions.\nReal money\nSorry, security folks, we need to start talking money and business. Not fear and tech.\nIf you can't save money or make money doing security, don't.\nA well-established, traditional business like Target will likely turn around. Big box stores have eliminated a lot of their local competition, so many customers will return, eventually. They have little choice (though 2014 was a good year for Amazon Prime - coincidence?). But for a lot of businesses, a major data breach could be a company killer. Or crippler.\nBefore the breach, Ashley Madison was busily seeking investors. I don't think anyone thinks this incident is good for Ashley Madison.\nThis data breach has to have notably decreased the company's valuation. Fewer subscribers. Increased churn. Any potential investor is going to look extra closely at their operations. Not to mention distractions of lawsuits and government investigations.\nThis is where security professionals need to focus. Stop begging your CIO for staff and equipment funding. Instead, warn the CFO of the hundreds of millions in revenue the company may lose if he or she doesn't invest in it.\nIt's your turn\nHow do you justify or judge security expenditures?\nAre you satisfied with your security program? Why or why not?\nWhat security topics would you like covered?\nI look forward to your comments below. Or feel free to email me directly.