[red-iron-pine]

No F500 tier executive is doing that.

They paid Accenture and Gartner to tell them what to do.

Ditto for having them set up a security organization -- get Accenture to sit a temporary CISO, hire some people, and then fuck off. Hopefully the replacements work!

Mom and Pop shops might use Google, but in 2024 they're usually using whatever the local, oversubscribed MSP is selling.

[leonadato]

and the problem there (as I see it) is that they don't care about security, they care about passing their audit.

"Passing our audit" has been presented with measurable consequences (cannot sell to customers) and finite, well-defined actions (this is what the audit list looks like).

What I'd like (the goal of the follow up article, coming soon) is to present the value of security in a way that makes the justification of the effort viable and palatable.