The computer security industry for SMBs is like 95% theater and 5% actual practice.
Conducting that test produced something tangible for whoever made the purchasing decision: It clearly illustrated a need for the services rendered, did it in a way that offered job security to management by giving them license to assert the position over their subordinates, and established a metric by which to evaluate the security company's performance which can be easily, repeatably, and predictably improved over time.
It also checked a lot of boxes that will be useful in court if they ever need to prove that they weren't negligent on privacy and security, which is a form of insurance that has real measurable value when it comes to legal claims.
> The computer security industry for SMBs is like 95% theater and 5% actual practice.
I'd say it's 40% paranoid arse-covering by IT department heads, 35% whatever middle management incorrectly assumes to be current best practices, 20% ego-stroking by the CIO, and 5% sensible context-driven decision-making by IT front-line staff.
Those numbers sound a little thin on the bottom, but only a little. Maybe take 15% out of the CIO category and just throw it away, because they're usually very quick to turn on their underlings.
Conducting that test produced something tangible for whoever made the purchasing decision: It clearly illustrated a need for the services rendered, did it in a way that offered job security to management by giving them license to assert the position over their subordinates, and established a metric by which to evaluate the security company's performance which can be easily, repeatably, and predictably improved over time.
It also checked a lot of boxes that will be useful in court if they ever need to prove that they weren't negligent on privacy and security, which is a form of insurance that has real measurable value when it comes to legal claims.