I sometimes think you can divide clients into three groups:
- Those who care about security
- Those who want to tick the boxes on security
- Those who don't know yet that they care about security
The good news is that creating an automated security infrastructure helps all three.
If you client cares about security they want proof that you are doing what you say you are doing and that you regularly review and monitor it. Automation provides all the reporting and proof without you having to do anything about it.
Those same reports allow you to tick the boxes with people. If you didn't have them then you'd have to go through a manual process to dig up the information and supply it adhoc as the review process requires.
Before we had some of the automation that we do now that's exactly what I had to do. It could be painful to find the right information, sometimes it would be out of date or would reveal a problem that needed to be resolved before we could respond because we weren't reviewing things frequently enough.
Often all of this would be happening under time pressure because the security review was linked to a sales opportunity we were trying to secure (generally the entertainment industry loves working to deadline and hates to do anything it doesn't have to). That made everything more stressful than it needs to be.
Once you have automation in place I've found that we've reduced some of our review processes with potential clients to a few days. We probably spend more time discussing cloud infrastructure than the security side of things.
Finally what about those clients who don't yet care about security. In my experience those clients are happy to take risks with what they are doing but when things go wrong it often turns out that they did have security expectations about the service you were providing but failed to articulate them because often they don't understand how technology works that well.
The good news is that automation helps them too as the cost to build automation is really all in the setup. Operationally we've been able to throw and umbrella over our clients and marginal additional cost. All you need is one client who really cares about security and you can make a step improvement for all of them.