|
|
|
|
|
|
by bdunks
855 days ago
|
|
|
Banking and financial services average 8.1% of revenue on IT Spending. Industries like industrial manufacturing, food and beverage, retail, and energy average 1.2% - 1.9%. Many security leaders (CISOs or otherwise) do not have the budget or authority to meet their board's or CEO's expectations, but it may be outside your sample of big banks. I'm otherwise aligned with your comment. The successful CISOs I've interacted with, regardless of industry, educate their leadership team on the trade-offs and risks of investment levels, set realistic response and recovery times expectations based on those investments, and turn it into a business decision, rather than promising the impossible. |
|
|
I said CISOs are uniformly incompetent at cybersecurity. No matter how many resources they are provided they are uniformly incapable of delivering security acceptable to the business customers, shareholders, and stakeholders.
There are exactly zero universes in which it is acceptable for a bank to be thoroughly compromised for 1 M$. If they wrote the truth in their advertising and investor documents there would be calls for blood. It is the job of the security organization to make sure the CEO is not aware of the truth so that the CEO can continue safely making statements palatable to the stakeholders.
This is not a problem that can be solved by the current actors through increased resources, effort, or focus. They have demonstrated they are incapable of achieving minimally acceptable outcomes across the entire range in every field. There are no gold standards to point to, no paragons to emulate, just piles of crap littering the wasteland. Meaningful security will not be attained until we throw away all of the commercial IT garbage and build things on the various high robustness systems designed and verified to protect against professional and state actors.