[jtdev]

Agreed, It doesn’t seem appropriate for info-sec people to be making decisions about what which risks to mitigate, ignore, etc. They should provide input into that process though. We struggled to even get the CIO and CEO to acknowledge and discuss info-sec risk and make decisions regarding what to do about that risk.

[jcims]

Oh yeah, if they aren’t going to even show up to the conversation then it’s time to yank the ripcord.

[stx]

By yank the ripcord do you mean leave the organization? I see this type of behavior at just about every company I have worked. There is no real priority to fix security holes even when they are discovered.

[jcims]

Depends on the circumstance and what your career goals are. If you want to develop your leadership skills, stay put and try to drive change. If you're developing your IR/SOC/threat hunting skills, maybe stay put b/c you're likely to be needed (assuming org is large enough target to get interesting attention). If you're doing assessment/red team/pen testing I'd stay a short while then move on b/c your reports are going to start to be recyclable. If you're doing security architecture/engineering/etc you're going to be resource starved so maybe move on.

Moral of the story is determine how it impacts your career goals and chose.