[fardo]

Teams avoiding security reviews are common cross-industry.

Incentives everywhere are “dodge” - the expected outcome for managers and engineers is missed deadlines and reschedulings on prior promises, frequent blame-focused meetings and late nights; and low prestige, high effort work unsuitable for making the company money, getting promotions, or maintaining agility in the future, as most security work is extremely mercurial and often only very marginally improves security, if at all.

Most “security fixes” at large firms are built on inscrutable black-box internal tooling which becomes a massive single point of failure and is rarely as hardened as implied, gets re-shuffled on what constitutes “best practices” every 12 months such that a feature team can spend literally all their time doing security work the team will be throwing out next year, are often not intelligently scoped to handle “this issue doesn’t specifically apply to my component”, and aren’t even the weak link when most hacks are

> An insider replied to the wrong email, or put a zip file into a thumb drive then ran off with everything his computer had downloaded, which was a lot.

Most teams grit their teeth and implement, but if the benefit isn’t there, just the requirement, teams remember and get a lot slower to pick up the phone.