|
> You're wrong, defenders are not profit centers. You don't expect the security guard for your office building to generate profit, why would you do so for your digital assets? defenders are like lawyers and hr, they are cost centers whose existence is justified because attackers also exist. I didn't say that infosec was a profit center. But they're in tension with profit centers for attention and sway, and by the way--the profit centers are the ones who make money. I've said it before, I'll say it again: People Respond To Incentives. Lawyers and HR are generally not respected except insofar as they protect companies from visible legal risk, and often not even then. Infosec is so vague as to appear as a tiger rock to people who aren't plugged into it. > Defenders are there so that when other teams who "ship" attempt to do so, they don't get the application, system, company or wherever you have protected data doesn't get compromised. Everyone, infosec included, is trying to ship. Shipping is how you make money, make payroll, and keep people employed. You only don't ship when your risk calculus indicates that the cost of not shipping is less than the cost of shipping. This us-versus-them thing brings us back to "the most secure system in the world is in an unplugged box". But we don't operate businesses off of unplugged boxes. Risk management exists. If this is how you would argue risk management with the median exec I've known, you'd lose. I have skilled infosec friends who've had better success than this through wise process and product choices, though. |