I've been the employee who describes what needs to be done to improve security, only to be ignored. And then some rando off the internet makes note of the security shortcoming in the product and suddenly the boss is going crazy. He says stuff like "Why didn't anyone tell me about this?!" And fixing the issue needs to be done yesterday. No, no time to fix it properly, let's slap together whatever we can and rush it out.<p>So glad I quit that job.
This reminds me of something we wrote a few years ago about PCI compliance:<p><a href="https://rsync.net/resources/regulatory/pci.html" rel="nofollow">https://rsync.net/resources/regulatory/pci.html</a>
The misaligned incentives for security is the core issue, so stronger regulation is needed. Breach happens? entire executive team ought to get most of their remuneration clawed back.
No one disagrees. Consider project management; for example, which has had many failed projects, has evolved, is still incredibly imperfect. Health care services, have had many flaws, continue to evolve, are still incredibly imperfect. Marketing, has had many flaws, has advanced, is imperfect. Pick one or two problems and advance them. Try not to kill people in the process which is all too common in tech.
This may not not a popular opinion, but this honestly comes across to me as a sad rant that has nothing worthwhile to say about security.<p>Consultants get paid to come in and advise, and internal staff are ignored? Suck it up, it's not a problem particular to security. I've seen it everywhere.<p>People don't choose hospitals because of their security program? Well, duh. They don't choose hospitals for all kinds of non medical reasons that are still vital for the damn thing to function. Get back to me when you're in surgery and the whole hospital goes down in a ransomware attack.<p>Honestly, if I had to listen to this person on my team for more than 10 seconds, I'd be on the phone to Deloitte before you could blink.