[toomuchtodo]

As long as poor security is cheaper than effective security, nothing changes. Equifax, Solarwinds, and Colonial Pipeline are all still in business.

[wbsun]

This. We really need more competitions to help.

[Nextgrid]

Competition won't help - it is impossible for an outsider to accurately measure a company's security practices and pick a company based on that.

What we need is regulation regarding putting personal data at risk to provide a financial incentive for companies to take security seriously.

[randombits0]

That is the last thing business wants. The credit card brands developed PCI to avoid regulation. But in most circumstances, there is no 800 pound gorilla to enforce security standards.

If you do an in-depth read of the PCI security standards, you’ll see that the standards are about protecting the card brands, not you.

[Nextgrid]

PCI is a very bad example because when it comes to card fraud the liability is on the merchant, bank or card networks. So in that sense it's actually normal that PCI focuses on protecting card brands and not you because you are already protected by them and they're just trying to recoup the costs.

[dredmorbius]

You can't compete against free.

Risk is free.

A risk-aware competitor faces a higher cost function and a market which won't support it.

What we need is regulation, and direct liability of corporations, stockholders, creditors, and executives.

[vipa123]

Change doesn't only occur with death.