|
|
|
|
|
|
by Ericson2314
985 days ago
|
|
|
The blog post is confusing the nature of policy changes being bullshit with the in-office being bullshit. Star ICs crushing it at remote work doesn't mean star teams; and if their coworkers are avoiding them in reviews it does sound like there are communication issues at play. |
|
|
Incentives everywhere are “dodge” - the expected outcome for managers and engineers is missed deadlines and reschedulings on prior promises, frequent blame-focused meetings and late nights; and low prestige, high effort work unsuitable for making the company money, getting promotions, or maintaining agility in the future, as most security work is extremely mercurial and often only very marginally improves security, if at all.
Most “security fixes” at large firms are built on inscrutable black-box internal tooling which becomes a massive single point of failure and is rarely as hardened as implied, gets re-shuffled on what constitutes “best practices” every 12 months such that a feature team can spend literally all their time doing security work the team will be throwing out next year, are often not intelligently scoped to handle “this issue doesn’t specifically apply to my component”, and aren’t even the weak link when most hacks are
> An insider replied to the wrong email, or put a zip file into a thumb drive then ran off with everything his computer had downloaded, which was a lot.
Most teams grit their teeth and implement, but if the benefit isn’t there, just the requirement, teams remember and get a lot slower to pick up the phone.