[arca_vorago]

You don't know how right you are about infrastructure in businesses. I've seen the inside of hundreds of companies over the years... everything from 5 man law firms to fortune 500, and it was a rarity to see good infrastructure.

It's a management problem, but it's also a problem because the people responsible aren't doing a good job convincing management. Which is why I think enginners/sysadmins/devs who have the ambition should start getting mbas and going for the CTO/CIO position... which is the main executive position (if it even exists) failing.

It's also why I'm working on my data science degree now. Execs don't like you, they don't trust you, and they generally don't listen well... but they love numbers and pretty graphs!

[lovich]

I mean, can you actually convince execs it's a good idea, no matter how charismatic you are? As a citizen, an engineer, and a consumer I think software and infrastructure security needs to be taken much more seriously due to how much breaches hurt people.

But if I was an executive or shareholder? Why would I care? We've seen time and time again how data breaches are just a blip in the stock price, the government doesn't punish anyone for negligence, and if someone manages to take serious money from you the government will go after them on your behalf. Security is expensive, and the odds of you having a breach that actually hurts you for more than a short period seem astronomically low.

We have more businesses saying they are shutting down or leaving the EU market over the fact that they can't take user data without permission than we have shutting down because they leaked all their users data or let hackers in through complete negligence of any modern security practices

[gruturo]

> I mean, can you actually convince execs it's a good idea, no matter how charismatic you are? As a citizen, an engineer, and a consumer I think software and infrastructure security needs to be taken much more seriously due to how much breaches hurt people.

On SWIFT, yes, you can, thanks to their own reply to the Bangladesh incident: a reasonably thorough set of security guidelines called CSP/CSCF (Customer Security Program/Control Framework), compliance to which is now mandatory. Network isolation, 2-factor authentication, secure VDI for access, physical access controls, log retention, it's all in there. It's the perfect chance to get money and people from management and sanitize the situation.

Actually if in May 2018 you don't already have a running project and resources for compliance, you should be quite worried.

[lifeisstillgood]

Interesting - I got as far as here before hitting login

https://www2.swift.com/uhbonline/books/a2z/customer_security...

is there a openly published version of this - it would be interesting to see what best practise looked like

[gruturo]

I found an openly accessible link which gives you at least an overview of each of the security controls. Everything else is behind a login prompt, sorry.

https://www.swift.com/myswift/customer-security-programme-cs...

[obelix_]

Well the pressure allows for new models to emerge. It's like a never ending war. The front lines keep moving back and forth between those who put themselves before others and those who don't.

The thing to remember is one side cannot fully ever take out the other.

[rishabhd]

Completely agree about the management part. Unfortunately, for them, security is not tangible and the capex to implement security tech gives them no revenues in return. Additional opex to maintain it only increases their skepticism if it is worthwhile at all. I remember, for one client, I recommended SIEM with threat intel integration (free one, Alienvault OTX) and asked them to implement it. It went on backburner because they never felt the need to dedicate 2 FTEs, one small server cluster and dedicate operational time for this. Also, since it was not regulated at that time, they never even bothered. Fast forward to 3 years, they had wannacry and had no clue which was the patient zero thanks to ill managed logs and what to even do about it. 500 man hours and ~1000 encrypted workstations (spread across 150 branches) later, they implemented it as part of their "proactive" defense strategy.