[justin_oaks]

Ultimately, the problem is self-interested people, misaligned incentives, and insufficient legal recourse for victims.

What's the motivation to do anything right in security if most of the time you don't have a breach and you can get away cutting corners? When something does go wrong, you can blame it on underlings, claim it was a "sophisicated attack from nation-state actors", and rely on the public to not care?

I don't know that security is comparable to project management, health care services, or marketing. Inefficiencies in those have visible costs and reasonably good incentives for improving them.

[mmvasq]

That’s when you step away. Come back later and take that last statement and spin it to a question instead. Can security have viable costs and incentives- what is a new way to improve it? Can’t see opportunity any more then take a break. I hate the nation state lies they muddy the real issues. That is not saying there are not threats, yet the hype and lazy attribution isn’t improving anything.