All true, and I think the solution is even harder than that. That is, even the best-intentioned and well-resourced companies would face severe headwinds in trying to "build [or rebuild] on the rock".
A lot of these businesses have been around for decades and are working on mountains of technical debt. They built ad-hoc systems over the years (before security was "a thing"), employ tenuously-functioning integrations with acquired company systems and more. To make matters worse, much of the technical knowledge has walked out of the door over the years.
In my consulting days it wasn't unusual to find that no one in a company really understood how systems worked (or even why). And, in some cases, they actually didn't work. I've seen billing systems that were unpredictable and relied on customers to call to report billing errors. Not a single person in the company even understood how it was supposed to work.
And, these were sizable companies. Agile has only exacerbated these issues as more software is built more quickly and with scant documentation.
All of that to say that it's difficult enough for many companies to build functioning software, let alone to secure it. And, the number of people who truly understand what it takes to secure networks/software is tiny relative to demand for engineers.
Throw in OSS, zero-days, social engineering attacks, etc. and it starts to become clear that any realistic solution includes a regime of deterrence through aggressive responses at the nation-state level. Sure, we should require companies to do more to secure their networks/systems, educate on best practices, etc. But, it's easy to issue an off-handed "they should've been more secure" response. The reality is that many companies simply aren't. We need to appreciate the difficulty and the protracted timeline over which any hardening might happen (if at all), and deploy a multi-faceted approach that also treats the problem as the national security issue it represents.
A lot of these businesses have been around for decades and are working on mountains of technical debt. They built ad-hoc systems over the years (before security was "a thing"), employ tenuously-functioning integrations with acquired company systems and more. To make matters worse, much of the technical knowledge has walked out of the door over the years.
In my consulting days it wasn't unusual to find that no one in a company really understood how systems worked (or even why). And, in some cases, they actually didn't work. I've seen billing systems that were unpredictable and relied on customers to call to report billing errors. Not a single person in the company even understood how it was supposed to work.
And, these were sizable companies. Agile has only exacerbated these issues as more software is built more quickly and with scant documentation.
All of that to say that it's difficult enough for many companies to build functioning software, let alone to secure it. And, the number of people who truly understand what it takes to secure networks/software is tiny relative to demand for engineers.
Throw in OSS, zero-days, social engineering attacks, etc. and it starts to become clear that any realistic solution includes a regime of deterrence through aggressive responses at the nation-state level. Sure, we should require companies to do more to secure their networks/systems, educate on best practices, etc. But, it's easy to issue an off-handed "they should've been more secure" response. The reality is that many companies simply aren't. We need to appreciate the difficulty and the protracted timeline over which any hardening might happen (if at all), and deploy a multi-faceted approach that also treats the problem as the national security issue it represents.