The Equifax hack(s) have resulted in impassioned discussions on security, patching and due diligence in general. Many CISOs and security stalwarts have had a lot to say on the matter and yet we don't see any security leaders actually wanting to work at companies like Equifax.<p>So I am curious to learn what would it take for the security champions to be enticed into working for Equifax et al.
Glassdoor says that a Senior Security Enginner salary is $110k at Equifax. The reviews say things like "Bad Reputation, Business emphasizes revenue over quality" and "Most work is performed offshore, Poor strategy from Management".<p>Equifax failed at security because Equifax's leadership doesn't care. They will only be convinced by seeing revenue drop or incurring larger penalties from the government. Revenue will not drop because the affected people are not paying customers. Penalties will not increase because the current political climate is "All regulations are bad" when it should be "Bad regulations are bad; Good regulations are good."
Probably something akin to "as a CISO, if I'm hired here, I expect all levels, onshore and off, including executives to follow these new security policies and plans, putting features on hold to do security review, audit, and rewrites - and anyone actively refusing to participate or trying to put bullshit first will be terminated immediately; teams are expected to cooperate in this regard or else same" in addition to an absurd sack of liability money.
I imagine getting any security best practices (as defined by the employee) implemented to be as much as a political challenge as it is technical.<p>With that said, most technical people don't want to be politicians.