"As a consultant, I see a lot of companies with serious security problems, but these are things that they cannot change organically; we can tell them all the things they need to do, but that process is often dramatically complex," Meltser said. "These companies are typically bound by regulations and issues of corporate culture such that any change can't happen overnight; but your message has to be packaged correctly and delivered to the people most receptive to change."
In his experience, the security expert said the best approach to that challenge is to break larger projects down into smaller components that can be achieved incrementally over shorter period of time.
Ultimately, the most significant point of disconnect between security pros and the business people they work with is the struggle to balance issues of protection and compliance with efforts aimed at growing sales and revenue, which the panelists characterized as a near constant "tug-of-war."
No matter how dangerous it is to launch a business application based on related security concerns, corporate leaders often are willing to accept the risk if it is a tool that they feel will significantly boost their larger corporate interests.
Even when executives are willing to joke that the term ROI, which has traditionally stood for "return-on-investment," has changed to "risk of incarceration," based on all the new security and privacy regulations being aimed at businesses today, many are still willing to stomach major risks to meet their objectives, the panelists said.
"Being in an e-commerce start-up today, we are literally living this tug-of-war," said John Amaral, chief architect at Retail Convergence. "I joke about the risk of incarceration with our executives whenever we pass each other in the hall, but at the same time, we all know that we need to get features and functions out the door to get customers to the site."
The PCI DSS mandate -- developed by the world's largest credit card companies to punish firms that leak consumer information -- has to be referenced in nearly every IT-related decision that the e-commerce startup makes. However, the company can't get bogged down in trying to meet all of the requirement's demands to the extent that it cannot grow its core business, the expert said.
"With PCI, customer data security is a very important consideration and our executive team understands the risk, but they also need to see the rewards," Amaral said. "Sometimes we ask for more time to do something and they don't want to wait, they want to get customers to the site; while most executive teams support [IT] putting security measures in place, they also need to hold onto the bottom line."