[eropple]

> We're in 2024, every exec should know better.

"Should" doesn't mean much. People respond to incentives. Can you explain the incentive function that exists today in the real world to prioritize the security cost center above the profit center?

I mean, I work at a company that I'd say does a pretty good job of this--in a regulated industry and after getting burned a few times. But you can still go full-send with VP approval, and the risk becomes part of the cost of doing business.

[notepad0x90]

the problem goes even deeper, execs chase short term profits and stock ticker bumps, that's the root cause in my opinion. You shouldn't prioritize security over the main business and profit, that was not my suggestion, but you should prioritize long term profits and reputation (ability to make even more profits in the long term), which is where security comes into play.

In other words, security is necessary for business. Just like how you would want your offices secured from burglars -- because otherwise you can't do business well -- you should want your digital assets secured from hackers, except unlike physical security, it isn't just local malicious actors and competitors after your business but intellectual property thieves, hacktivists, financially motivated cybergangs and more (not just nation state actors).

Failure to give proper priority and funding to cybersecurity, is failure to ensure conditions that make the company profitable and viable in the long term.

[eropple]

> security is necessary for business

It's not, though, that's the thing you aren't picking up. Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.

You say that it's about the long term, but within epsilon of nobody has gone out of business or even been seriously impacted by bad security posture. Experian gets wrecked on the regular, but it's not going out of business. Azure springs holes regularly enough that Corey Quinn has an ongoing schtick about it, but Microsoft isn't going out of business, either.

If you want security to be necessary for business, you need to make failing to operate securely a legitimate threat to an organization. Waiting for consumers to act collectively means you'll die of old age before seeing a twitch, so you're really talking about legislation. I would be in favor of this, to be clear--I think we as an industry are bad at cybersecurity, terrible even. But I'm describing what is, not what ought.

[notepad0x90]

Companies go out business because someone from China stole their intellectual property, that isn't uncommon. There are companies like riskiq and bitsight that rank your security posture, which other companies use to decide on giving you their business. If it is between your ransomwared company and the competition, you just lost a business advantage there. Azure and Microsoft are bad example, as is Experian, they don't have much competition. I think the whole ransomware trend has skewed how people think about security. It isn't just outages like the ones caused by ransomware that are a concern, keeping secrets and confidential information from your competition is a big deal. as is the trust of your clients, that you will protect their information.

> Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.

I agree, but that isn't what is being done at most places. Every organization should spend as much as their risk tolerance allows them to do so on security. My problem is with spending as little as possible without getting into legal trouble.