|
|
|
|
|
|
by devadvance
1605 days ago
|
|
|
Generally this is an accurate take. I'd add two things: > ...because they're realised they really have no idea of their exposure. This is partially because it is often non-engineers being asked to figure this out. The "information security analysts" at F500s are asked to do a lot of unfair work, such as analyze risks related to decades-old software they didn't build. > ...there's a whole business ecosystem in just being able to answer that question let alone do anything about security issues. The first part (answering "what dependencies does my software have") isn't inherently bad. I'd emphasize the underinvestment in the second part more. |
|
|
I think that's putting it mildly. When it comes to responding, they'll look around and find that they only have a small number of full-time employees with the skills to partake in a response. Most of the IT organization will be dependent on vendors who struggle during the best times while their leadership has the ear of the CIO because IT is only viewed as cost.
The full-time employees will frequently be the real heroes, but when the incident passes this won't be recognized. Things will repeat themselves with the next major vulnerability discovered, but the organization may find that they have even fewer employees at that point to lead a response.