[tristor]

> Every security solution is just the same Black Box with a one-trick-pony in it.

This is a cultural problem in the information security space and one reason why I've left that space. I call this "checkbox compliance" culture. Most customers want a box they can rack, check the box on a compliance audit, and move on. Very few companies actually give a shit about security as a practice or philosophy, and don't actually do any of the work to build security into their products and systems.

The epitome of this is that many companies operate devices at their border that strip encryption via using a company-provided CA to man-in-the-middle all traffic across their network to do DPI, and then re-encrypt (hopefully) to the ultimate target. From the perspective of the employee, the primary attacker on the network is the company's own infosec team, because the policies and compliance checkboxes are achieved in the worst possible iteration of how you might meet compliance without any regard to /security/.

This is a fixable situation, but it's a hard thing to fix because like most cultural issues, it's ultimately some kind of tragedy of the commons.

[Damogran6]

Completely agreed. I also see it as a side effect of leadership that's not IT savvy. The person setting policy, if they don't understand the problem and risks, often picks solutions that make it 'somebody's elses problem'.

'I don't know Security, so I'm going to pay an MSSP to do it for me.'

This is not a bad thing, per se, it just means that their controls are ceded to a company who has marketing, shareholders, management layers, and _they_ want to optimize _their_ costs....so the protection of your organization will be 1/n of the response team's attention...where N is the number of other companies they're responsible for monitoring.

It's POSSIBLE that you'll get better support by letting an expert multiply their skills across a larger population of targets...it's just not LIKELY.