What? Security is the one domain I found where you can't just waltz in because you've heard of a computer. You need to do the work upfront with Sec+ or the like, it would take months for a newbie. Past that point, what more guarantee can you have? Even work experience can be meaningless if they weren't in the right team/role.
Security is a cost center, not a profit center. Most companies cut that investment to the bone, which means paying the bare minimum that lets them check boxes.
This is true for basically any non-tech company, and is true for like 75% of the tech companies.
> You need to do the work upfront with Sec+
Sec+ is part of the paper mill parent is referring to. A book of terms to memorize for 3 months and then call it good.
>Security is a cost center, not a profit center. Most companies cut that investment to the bone, which means paying the bare minimum that lets them check boxes.
This. Definitely.
But even at organizations with the budget, the knowledge and the infrastructure to do security right, no matter what the security folks think/want/suggest, UX and low friction matters. If a process is too onerous (and that varies from org to org and person to person), it will be rejected post haste -- as will you if you try force it.
This is especially true in the finance sector. Joe trader is too busy making bank to worry about all that security bullshit. "Just make it work! I don't have time for this. I banked seven-figure bonuses in three quarters this year and you're just some asshole! Get the fuck out of here, I'm busy!"
And that attitude often extends to management as well.
If you get away from the front-end and its users, the InfoSec guys are all over the back end like a cheap suit. Because their (not seven-figures, but not a kick in the teeth either) bonuses depend on making sure nothing bad happens.
Money (especially in the finance sector) is a powerful motivator, but it sometimes (more often than I'd like) creates incentives that thwart optimal security practices.
Not only is it a cost center it’s also seen as a hindrance to the fast progress. Rarely will you come across an exec who takes security seriously. For them it’s just a checkbox at best and an obstacle at worst. I’m speaking about application security though. It’s possible that IT sec, physical security etc are taken more seriously.
Cuts both ways, of course. There are terrible IT Security departments that don't understand the concept of false positives, create approval flows for critically needed items with 2 week SLA turnarounds, topple the network with poorly designed endpoint security scanners and tons of useless telemetry and so on.
We kinda sorta already have laws designed to make software systems secure, but they aren't really followed in spirit. I suspect what's needed is an expansion of NIST-like bodies, more concrete specifications for what is and isn't allowed (e.g. like seatbelt regulations) and such.
Ultimately, its going to be a cat and mouse game. A really determined hacker will find a way. But admin users with permissions over everything, passwords/encryption keys stored in plaintext etc. these are things that we can probably patch up really well, and force companies that can't afford to do that to (justifiably) go out of business.
