16 comments

[ 2.8 ms ] story [ 47.4 ms ] thread
(comment deleted)
I think the "Your" got dropped from this. Should read:

You Security Program Is Shit

Shouting truth into the abyss. Great read. My CISO chuckled.
No one disagrees. Consider project management; for example, which has had many failed projects, has evolved, is still incredibly imperfect. Health care services, have had many flaws, continue to evolve, are still incredibly imperfect. Marketing, has had many flaws, has advanced, is imperfect. Pick one or two problems and advance them. Try not to kill people in the process which is all too common in tech.
Ultimately, the problem is self-interested people, misaligned incentives, and insufficient legal recourse for victims.

What's the motivation to do anything right in security if most of the time you don't have a breach and you can get away cutting corners? When something does go wrong, you can blame it on underlings, claim it was a "sophisicated attack from nation-state actors", and rely on the public to not care?

I don't know that security is comparable to project management, health care services, or marketing. Inefficiencies in those have visible costs and reasonably good incentives for improving them.

That’s when you step away. Come back later and take that last statement and spin it to a question instead. Can security have viable costs and incentives- what is a new way to improve it? Can’t see opportunity any more then take a break. I hate the nation state lies they muddy the real issues. That is not saying there are not threats, yet the hype and lazy attribution isn’t improving anything.
I've been the employee who describes what needs to be done to improve security, only to be ignored. And then some rando off the internet makes note of the security shortcoming in the product and suddenly the boss is going crazy. He says stuff like "Why didn't anyone tell me about this?!" And fixing the issue needs to be done yesterday. No, no time to fix it properly, let's slap together whatever we can and rush it out.

So glad I quit that job.

This is almost my current employer to a tee.

I hope to take the same action as you in the near future.

This so accurately describes the last week of my life. Years of shrugs and "we will get to that when <moving goalpost>" when security concerns are brought up. Thankfully, we had done some of the work anyway and were teed up to do the rest quickly enough. Still sucked pretty hard.
(comment deleted)
The misaligned incentives for security is the core issue, so stronger regulation is needed. Breach happens? entire executive team ought to get most of their remuneration clawed back.
This assumes the breach is disclosed. Most hide them.
This may not not a popular opinion, but this honestly comes across to me as a sad rant that has nothing worthwhile to say about security.

Consultants get paid to come in and advise, and internal staff are ignored? Suck it up, it's not a problem particular to security. I've seen it everywhere.

People don't choose hospitals because of their security program? Well, duh. They don't choose hospitals for all kinds of non medical reasons that are still vital for the damn thing to function. Get back to me when you're in surgery and the whole hospital goes down in a ransomware attack.

Honestly, if I had to listen to this person on my team for more than 10 seconds, I'd be on the phone to Deloitte before you could blink.