I work for a major auditing firm. The customers we audit the majority of have quite good security. When we start to ask about the subcontractors, things get bad quickly.<p>Many companies protect the easy stuff, and then outsource a lot of the work to subcontractors. They then send them a self-assessment survey about their “security”. It’s all bullshit.<p>Case in point, we actually drove out to one of these subcontractors for a major data center provider. We got stuck in traffic, but figured what the hell and still pushed on, arriving at 6:00 pm. We walked in...literally. They had left for the night and forgotten to lock the door, computers, servers, drives, routers you name it everywhere. Their 3-year contract was voided later that evening.