| It's much worse than this.. I've seen this happen more than once, where IT spells out the risks and recommends tighter security practices, more security hardware/software, more backups and redundancy, a bigger security team so they're not just running around fighting fires all the time and have some resources to improve security, etc, but these requests are denied because there's not enough budget for them or they're too inconvenient (as security is almost always a tradeoff against convenience). Then there's a security incident and suddenly money materializes out of nowhere and they'll pay whatever it takes to get back online, making the security and IT teams work nights and weekends until the incident is resolved. At the same time, security look like incompetent idiots for letting the incident happen in the first place, with everyone conveniently forgetting that multiple requests to tighten security were denied.. and many other people in the company don't even know about what happened, but consider the security team to have screwed up. So security often wind up looking like idiots, though it's not their fault. Or maybe there really was a screwup by someone who's no longer with the company. Dealing with gigantic legacy systems and endless complexity that no one fully understands is common. When the security incident blows over, those security budgets shrink again and the importance of security dwindles as other parts of the business take precedence, until the cycle repeats again and again. Or security really is taken seriously at some companies, and then the security teams are often seen as the "no men", and widely despised because they stand in the way of getting work done. These reasons and more is why I don't like to work in a security role. Let someone else take the blame. |