[jacquesm]

> No company should ever spend more mitigating a risk than the potential cost they could incur from the risk

Funny, after the fact they are usually out a lot of money and they decide that they now do want to mitigate that risk.

[hluska]

It’s genuinely interesting how poorly companies perform when you gauge their ability to cost out a successful attack. Pre-attack, many seem to make an economic decision not to mitigate it. Post attack, the fifth CISO in four years gets fired, the CEO vows to do better and the cycle repeats all over…