|
|
|
|
|
|
by googlryas
1387 days ago
|
|
|
What's good for Twitter the company and Twitter the stockholders is not necessarily what is good for Twitter users. Security breaches negatively affect the users whose data is breached. It only affects the company if it takes a reputational hit because it was announced that their security was breached. But, will India announce that they forced an insider in Twitter with access to all sorts of user data? Probably not. Will people swept up by India's secret police know that it was twitter that ratted them out? Probably not. Let's look at a CEO of a cigarette company in the 1940s. The head of health comes to him with strong evidence that cigarettes cause lung cancer and are slowly killing their users. What would the appropriate action for a CEO be? Or for the head of health? Is the head of health a failure if he can't convince the CEO that they shouldn't be selling cigarettes? I don't think so. Because the head of the company might care more about money than about giving people cancer, and that is his choice to make. Yeah, maybe the company may hit some rough times later, but if the CEO just hides this report, then the CEO can keep making money, and maybe the shit won't hit the fan until the CEO is already retired or dead. Instead of stopping the sale of tobacco and shuttering the business, the CEO fires the head of health. Then, the head of health goes to a newspaper as a whistleblower saying that tobacco causes cancer and the CEO knows about it. In what world is the head of health a failure here? |
|
|
an analogy in ITSEC would be knowledge of an actual (not potential) ongoing user data exfiltration and hiding knowledge of that
most ITSEC scenarios are not this, but rather a failure to explain why the potential loss of doing nothing is worse than the actual loss of doing something, just like a CRO must explain why the potential loss of not entering a market is worse than the cost of entering it