Companies all look the same when the weather is good.
Most days it doesn’t matter. Rain, sunshine, wind. These might affect other parts of your business but not the safety of the path out front. People don’t notice too much, maybe there’s a small crack, a little trash in a corner, but it’s passable, clear and not a danger to people walking by.
Then the snowstorm hits….
The next day, do people see a clear sidewalk or a dangerous icy patch?
Are you running business as usual, but not fixing a clear danger out front?
What does this tell your customers or potential customers about how much you care? Is it telling them that you are understaffed or failing? What other health and safety issues are you neglecting? Will you blame your users for not being safe if they get hurt?
This is the case with CVEs and other vulnerabilities. When the CVE of the day gets publicized, are your response plans nimble? Can you patch a library and get a new release out quickly? Can you publish a VEX document saying “we’re not affected”? Is it always an emergency, or do you have a playbook at the ready?
As a user, which of your vendors was a month late getting you an update? Which one never patched at all? Did you read about breach in the news but not get clear alerts from them in the first place?
Your business might still be open after the storm, but your users will see how you handle the icy patches in the meantime….