[SamuelAdams]

I'm studying infosec, so I lean on the "pay for infosec people" side.

But from a company's perspective, if they have to pay 1M for an infosec team over five years, or 1M for a breach once every 5 years, what's the difference? You're still paying the same amount of money.

[quicksilver03]

Perhaps they consider that the employees will be way more productive without all the security barriers that the Infosec team would set up, so paying for the breach is a net gain in this light.

[zentiggr]

And then Equifax gets breached.

When does infosec start to realize that it's not just about company costs/risks, but the lives of all those users who are going to get screwed when your 'low risk = cheap fix' mentality pays off?

I'm in the Equifax breach (like sooooo many more)... part of my 'general concerns about the world' is whether/when I get my life hacked and have to rebuild.

Let me know where you get hired next, so I can take my business elsewhere.

[ativzzz]

Corporations do not care one bit for

> lives of all those users

Equifax cares about one thing: earning profits for its shareholders. They got caught with their pants down. Now other companies can look and try to estimate their expected cost of being breached (probability of being breached multiplied by the dollar cost) vs the dollar cost to upgrade their IT systems, infrastructure, management, company policies, etc etc etc. Realistically, Equifax is probably incapable of doing the necessary changes upfront without a complete overhaul of it's people and leadership structure.

The vast majority of companies will spend the least amount of money possible to pretend that they fixed the problem.

You want companies to care? Then create regulation that protects

> lives of all those users

[C1sc0cat]

You will be paying more for the second breach and paying once will get you put on the sucker list so others will see you as a easy mark to hack.