Corporate Security Underinvestment

The problem is the externalities of insecurity. The company who is insecure doesn't suffer all the consequences of a security breach, so they don't spend as much money to mitigate it.If software security was similar to say building/fire safety or food safety where serious cost/legal consequences were attached to failures, we'd likely see more spending...

You can't :)There is a huge Market for Lemons (https://en.wikipedia.org/wiki/The_Market_for_Lemons) style scenario in IT systems with relation to security.Everyone will say "we take security seriously", but there's no way for ordinary consumers (or indeed most companies) to determine what the company meant by their statement, and to evaluate the relat

Companies say they care about security, but don’t pay as much

It seems that companies would rather buy "insurance" rather than spend money on actual security. They have accepted that they will eventually be hacked or have a really expensive outage, so now they want a cushion of money to pay for any penalties and lawsuits.I get the impression that for the most part, no one really believes in security, and doesn't understand that it's a process and not a product. They already tried throwing money at the problem by purchasing security p

That's exactly it. They're seen as an unneccesary cost because there are no real penalties for being compromised. Though this is fortunately changing, which has caused companies to begin to take this stuff more serious than in the past.

Preventing this thing from happening costs a lot of $$$, so pretty much everyone just "accepts the risk" seeing that probability of something like this happening to your company (during your tenure) is still super low. All companies with somewhat robust security posture I know have had a string of incidents in the past, that seems to be the only thing that can motivate to put $ in security.

Isn't to bad, keeps security front of mind. If there weren't any groups going around and doing this kind of thing big companies would be even more complacent than they are.

When these companies say there are "security concerns" they mean for them, not you! And they mean the security of their profits. So anything that can cause them legal liability or cause them brand degradation is a "security concern".

The article states that current practices don't serve the company or the people. This is false. Good security is very expensive. The board knowingly bets that the damage will be far less than the cost. Meaning it's a non tangible effect to them. It's mostly noise in the form of drama.If we want security we have to fix government. No other industry can just expose SSN's, credit cards, personal details, and get a slap on the wrist. Software must be treated like an engineerin

why bother when not a single vulnerability has resulted in any appreciable fines or loss of market share? it's absurd how untouchable their ubiquity has become.