|
|
|
|
|
|
by JackOfCrows
1368 days ago
|
|
|
Good security and good security people cost money but don't generate any visible revenue. So if you care about your balance sheet, they make you look bad. Optimism bias is also a thing. People assume bad things won't happen to them. (This is a psychological phenomenon not just an IT thing). So if you're an exec, you could advocate for spending the money or you could just pocket your bonus for cutting costs and go "pfft nothing is going to happen". And there's the old "if it's cheaper to deal with breaches if they happen than to pay security staff most places are just going to assume nothing bad will happen and deal with the cost if it ever comes up". |
|
|
This is the crux of the issue. Organizations have no incentive to invest in good security because they don't see any negative ROI in the now. It's amazing just how much they invest after the fact of a breach. They have to assume they will be breached at some point and have all the necessary operational security in place when they do get breached to limit the blast radius.
Opsec is usually an infosec term, but businesses do opsec all the time to protect assets and inventories, only it's not called opsec, just 'standard practice', or a 'business plan' or other terms, but really it's opsec under the hood. Also, opsec is not new, it's something long practiced by organizations and companies across the world.