[vidanay]

Surprisingly few companies (or people) care about paying for good security.

[simonw]

The problem with paying for good security is that it's very difficult for non-security experts to evaluate the genuinely effective ways to do that.

Is buying antivirus "paying for good security"? Hiring the first security firm that showed up in a Google search?

If you advertise for a security person to join your company, how do you effectively interview candidates?

[red-iron-pine]

No F500 tier executive is doing that.

They paid Accenture and Gartner to tell them what to do.

Ditto for having them set up a security organization -- get Accenture to sit a temporary CISO, hire some people, and then fuck off. Hopefully the replacements work!

Mom and Pop shops might use Google, but in 2024 they're usually using whatever the local, oversubscribed MSP is selling.

[leonadato]

and the problem there (as I see it) is that they don't care about security, they care about passing their audit.

"Passing our audit" has been presented with measurable consequences (cannot sell to customers) and finite, well-defined actions (this is what the audit list looks like).

What I'd like (the goal of the follow up article, coming soon) is to present the value of security in a way that makes the justification of the effort viable and palatable.

[nfRfqX5n]

Would argue the opposite. Many people pay cloud providers because of the built in security and auditing. See AWS gov cloud for an entire sector.

[nonrandomstring]

People do care about security. They will strengthen their roofs as hurricanes blow up worse. They buy big and tough cars to better survive auto-accidents. They will accompany their kids home from school and install burglar alarms. Plenty of Americans are even happy carrying a firearm around just in case...

What people do not give a shit about is digital security. Because nothing about computers or the Internet "is real". And it's getting less real by the day. That's the fascinating psychological talking point.

[lo_zamoyski]

This is just a specific case of the general problem of long-term, cultivated, or difficult-to-measure goods. Who gets more recognition or reward, the guy who hardened his software over time to prevent the bug, or the guy who swoops in to fix the bug? The guy who tested his code to prevent bugs, or the 10x rOcKsTaR who shat out a mess of an app that appears to do what it should, but leaves everyone else cleaning up the disaster later?

Our culture in particular excels at implementing this bias.

[wubrr]

Security is hard, and determining what is worth paying for when it comes to security is arguably even harder - there seem to be a higher than typical amount of snake oil salesmen and grifters in the industry.