[close04]

Moving to another solution involves some expense and operational risk (changing procedures, increased human error rates, locking yourself out). Even though the risk of staying with the existing solution goes from "unlikely" to "possible" (so maybe from yellow/amber to red), a lot of companies rationalize it as "but now the provider will be extra careful so the likelihood is actually lower".

Crowdstrike had a famous incident and is still probably #2 in the cybersecurity world. Sometimes assessing risk is a funny business.

[fpoling]

I worked for a big company that switched from 1password to Keeper. The transition was smooth and I do not see why it shouldn’t be as long as IT knows what they are doing.

[seb1204]

True, but how come such risks are addressable when adding AI or opening up to yet another API or when some savings are promised with a new product/product feature?

[close04]

> when adding AI ... or when some savings are promised

Because savings are promised. And who could say no to AI? (/s)

There's always some risk mitigation possible but it's costly or inconvenient. Companies pretend the risk is lower so they can do whatever they wanted to do but now with less accountability. The risk matrix says so.

But sometimes the tradeoff is genuinely not worth it. The bottom line is that each company has to do it's own calculations and decide whether moving is overall a better choice. Which risk is higher, that your provider is breached again or that you have new operational issues with the new solution. Which costs more, a chance of another security issue, or the guaranteed expense of replacing the solution? You do the same math at home all the time. Your washing machine leaked once, do you replace everything or just patch the hole?