[lenerdenator]

Breaches by attackers will continue until it becomes prohibitively expensive or dangerous for the attackers to do what they do. This isn't something companies can do; it takes a government to do that.

Until then, it's a great way to squeeze crypto out of some company to make up for the fact that your country is under sanctions tied to the US Dollar, and since it's hard to prove to the bean counters that an attack will happen with reasonable certainty on a given system in the next quarter, good luck getting resources and priority for mitigations beyond the usual.

[alephnerd]

> since it's hard to prove to the bean counters that an attack will happen with reasonable certainty on a given system in the next quarter, good luck getting resources and priority for mitigations beyond the usual.

False.

Companies are now liable to report breaches to the SEC and steps taken to remediate.

As I've mentioned several times on HN before, heads do roll and C-Suite does care about security posture now that liability and insurance payouts are on the line.

The annoying thing is HNers will never see the actual successes (because these are obviously kept private) and only see a couple glaring failures.

Furthermore, this report is an advertisement for Verizon's MSSP division (Verizon Business), which companies pay to manage their security posture - all telcos have had an MSSP BU since the 1980s (ATT Global Business Services being the market leader)

You'll see a lot of BS like this for the next 2 months because RSA is in 2 weeks and AWS Re:Invent in a month. It's conference season (great time to stock up on free tshirts and drink Blanton's on the corporate tab)

[lenerdenator]

> Companies are now liable to report breaches to the SEC and steps taken to remediate.

I'm looking at UnitedHealth's stock price over the last year. The theft happened in February. There was a dip; it's already recovering from that.

The market doesn't particularly care about those disclosures, it would seem.

[StressedDev]

Investors do care. After all, if a company does not improve its security, its customers will leave.

[alephnerd]

Stocks are not the "holy grail decide all" when much of UHG and Optum's leadership is in front of Congress as we speak during an election year and with significant liabilities due to potential breaches of contract by failing to produve billing to their customers.

Go on LinkedIn and take a look at who's on the CISO org and below at UHG and Optum today - in 6 months 60% of them will no longer list either as their employer.

UHG the organization will continue to exist, but the people who make up that organization will have their heads roll.

There is no Mr UHG the 3rd running stuff there or in the majority of F1000s - it's professional managers who climb up and down the ladder.

Not everything is some sort of conspiracy with mustachioed men and DEI puppets parroting Milton Friedman and Ronald Regan like the HN hivemind loves to think.

[dantillberg]

The CISO role is too often just a game of roulette. The big question is whether the CISO is actually able to effect changes that have material impact on their own fate, by improving security posture. If not, then the CISO is merely compensated to play the scapegoat when luck is down.

[alephnerd]

CISOs aren't the only heads that roll.

Security incidents will often directly impact platform and infrastructure teams, who's leadership and EMs heads roll as well.

If there is a very public breach, literally everyone director upwards will inevitably get purged over the 12 months post breach.

I've worked on enough cases like this to see it happen.

[Starman_Jones]

If it doesn't affect stock price, though, then the CEO, board, and shareholders are all incentivized to keep IS costs low, and ignore any costly security recommendations.

[lenerdenator]

Being dragged in front of Congress on anything related to a computer is not a big deal; if it were, Mark Zuckerberg would not be CEO of Meta. The liabilities will be played out in court over the next decade, and you'll possibly see some legislation passed over that time period limiting liability in these situations, because how can we possibly expect these companies to deliver value to shareholders while shouldering the risks posed by adversarial state-backed hackers?

Personal responsibility as conducted through firings means more for the rank-and-file than for directors and above. It's not about what you've done as much as who you know in those levels.

TL;DR: I'll believe it when I see it.

[StressedDev]

You stated "Being dragged in front of Congress on anything related to a computer is not a big deal". I do not think you understand how the United States works. The United States government can destroy a company if it wants to. A good example is TikTok. Angering senators, or representatives is a very dangerous thing to do. If you want to see the results, look at the legal problems Google is having, or the problems Microsoft had in the late 1990s and early 2000s.

[alephnerd]

> how can we possibly expect these companies to deliver value to shareholders while shouldering the risks posed by adversarial state-backed hackers

1. Liability

2. Insurance Premiums

3. Regulation

1 and 2 are already in place, and 3 is currently working it's way over the next couple years.

> TL;DR: I'll believe it when I see it.

Cynicism is valid, but at some point it's just unfounded nihilism, and you as an individual IC will never publicly see these changes as they are well above your pay grade (and you sure as hell won't hear about it publicly)

> Being dragged in front of Congress on anything related to a computer is not a big deal

It is when you are on the hook for that federal bailout to prevent the entire healthcare system from collapsing [0] caused by incompetence surrounding credential management

[0] - https://www.wsj.com/articles/calls-mount-for-government-help...

[photonthug]

> Cynicism is valid, but at some point it's just unfounded nihilism, and you as an individual IC will never publicly see these changes as they are well above your pay grade (and you sure as hell won't hear about it publicly)

Weird comment, are we supposed to trade the unfounded nihilism for unfounded optimism? Apparently accountability and transparency[1] are widely available.. behind closed doors.

[1]: yep, transparency is kinda required for having effective insurance, regulation, or liability.

[akira2501]

> until it becomes prohibitively expensive or dangerous for the attackers to do what they do.

We used to hang thieves. We still had theft.