So, $12.6M is more than twice what they spend on their on-going software development costs.

My guess is even without an information security management program, companies like Heartland can at least afford to spend $15k/release (assuming every six weeks) on third-party application assessments that would include findings such as SQL injection. This might be a good starting point, at the very least. 2% of software development budget has been tossed around as an indicator for software security budget in the past.

Better — they would partner with an application security consulting firm, which would involve spending millions of dollars over several years. The impact of such efforts would probably pay off in several different areas of quality and security improvement.

My guess is that companies such as Heartland spend almost all, or at least 60-80%, of their security budget on end-user systems and issues. InfoSec is likely not tied to capital planning or enterprise architecture.

With over a half-billion dollars in assets, and as a payment processor, I would think Heartland would be heavily invested in risk management. It’s extremely unlikely that they are willing to eat $13M annually for these types of costs. Let’s say, for example, that a company such as this spends $1M annually on their information security management program (note that this is less than one-fifth of a percent of their total assets). Verizon Business suggests spending these dollars on online data versus spending it on end-user systems, based on asset classes by percent of breaches and records.

You don’t have to be Gunnar Peterson to make a top-level decision to heavily invest in the areas prescribed here.