[notepad0x90]

Yes it is mostly a cost. Breaches are also a cost. When the homedepot security team tried to fix the issues that got them pwned, the execs said "we're not a security company, we sell hammers". Box ticking mindsets like that are held by incompetent and short sighted executives. The cost of security is decided by the cost of a potential compromise, it has nothing to do with profit margins. A lot of companies learn this lesson the hard way. Many "snakeoil" security companies exist because of this incompetent line of thinking by executives. It is easier to say you paid some company who made some b.s. claim than to actually fix problems, even if the 3rd party costs more than the cost of fixing problems.

In short, what you and OP commenter describe is incompetency, it should not be taken as the default, those are not defenders, those are mismanaged organizations. We're in 2024, every exec should know better.

[tpmoney]

> In short, what you and OP commenter describe is incompetency, it should not be taken as the default, those are not defenders, those are mismanaged organizations. We're in 2024, every exec should know better.

Everything in life is a trade off, and no-one is in the business of perfect cyber security defense. Therefore, businesses will *always* trade weaker cyber security defense for better/faster/cheaper/easier/more business in their actual line of business. Just like you do every single day. Do you have ALL traffic on your home network encrypted with mutual serve and client certificate verification? Do you only have your 256 character passwords memorized in your head and not stored in a password manager anywhere or otherwise recored somewhere? Are all of your home systems equipped with strict outbound firewall rules that only allow one time, on demand and confirmed communications with the wider internet? Have you hardened your home network against data exfiltration via DNS queries[1]? If you use 2FA for your accounts, and the objectively weaker password managers to store your passwords, are your 2FA tokens kept on completely separate devices from your password managers? Do you only allow direct console access to any of your systems and have no remote access like SSH enabled? Do you a have every single computer backing up their data into multiple redundant copies, without using the network for data transfer and with at least one if not more of those copies stored off site?

If you answered "No" to any of those questions, you also have chosen the route of "incompetency" and "mismanagement". It's 2024, and every IT person should know better. But of course we do "know better" and choose the objectively weaker options anyway because the stronger options get in the way of actually doing the things we want to use our systems for. You don't choose perfect cyber security defense for your home network because you don't have a home network for the purpose of practicing perfect cyber security defense. So it is with businesses, they don't have their systems for the purpose of practicing perfect cyber security defense either.

[1]: https://www.akamai.com/blog/security/dns-the-easiest-way-to-...

[eropple]

> We're in 2024, every exec should know better.

"Should" doesn't mean much. People respond to incentives. Can you explain the incentive function that exists today in the real world to prioritize the security cost center above the profit center?

I mean, I work at a company that I'd say does a pretty good job of this--in a regulated industry and after getting burned a few times. But you can still go full-send with VP approval, and the risk becomes part of the cost of doing business.

[notepad0x90]

the problem goes even deeper, execs chase short term profits and stock ticker bumps, that's the root cause in my opinion. You shouldn't prioritize security over the main business and profit, that was not my suggestion, but you should prioritize long term profits and reputation (ability to make even more profits in the long term), which is where security comes into play.

In other words, security is necessary for business. Just like how you would want your offices secured from burglars -- because otherwise you can't do business well -- you should want your digital assets secured from hackers, except unlike physical security, it isn't just local malicious actors and competitors after your business but intellectual property thieves, hacktivists, financially motivated cybergangs and more (not just nation state actors).

Failure to give proper priority and funding to cybersecurity, is failure to ensure conditions that make the company profitable and viable in the long term.

[eropple]

> security is necessary for business

It's not, though, that's the thing you aren't picking up. Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.

You say that it's about the long term, but within epsilon of nobody has gone out of business or even been seriously impacted by bad security posture. Experian gets wrecked on the regular, but it's not going out of business. Azure springs holes regularly enough that Corey Quinn has an ongoing schtick about it, but Microsoft isn't going out of business, either.

If you want security to be necessary for business, you need to make failing to operate securely a legitimate threat to an organization. Waiting for consumers to act collectively means you'll die of old age before seeing a twitch, so you're really talking about legislation. I would be in favor of this, to be clear--I think we as an industry are bad at cybersecurity, terrible even. But I'm describing what is, not what ought.

[notepad0x90]

Companies go out business because someone from China stole their intellectual property, that isn't uncommon. There are companies like riskiq and bitsight that rank your security posture, which other companies use to decide on giving you their business. If it is between your ransomwared company and the competition, you just lost a business advantage there. Azure and Microsoft are bad example, as is Experian, they don't have much competition. I think the whole ransomware trend has skewed how people think about security. It isn't just outages like the ones caused by ransomware that are a concern, keeping secrets and confidential information from your competition is a big deal. as is the trust of your clients, that you will protect their information.

> Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.

I agree, but that isn't what is being done at most places. Every organization should spend as much as their risk tolerance allows them to do so on security. My problem is with spending as little as possible without getting into legal trouble.