I agree completely. I didn't ask why government enforced regulation hasn't happened. I asked why industry self-regulation has failed. I've worked in a regulatory/security role for a major conglomerate before.
I'm not saying I expected self-regulation to work. But, if you are in a position of customers seeing direct harm every day, it's not unreasonable to ask why there is a failure here.
I think it has failed because the industry is moving way faster than most people can keep up.
Even your average developer isn’t going to be aware of security changes in the industry to know what’s important or not. It’s going to be even less likely they someone not in engineering to remotely know what’s important or not.
Security professionals know but do you seek out a cardiologist first before you ask your GP? Probably not because, being not at all trained, you have no clue about anything. And if your GP doesn’t know, you are kind of on your own.
"People" don't need to keep up, the internal controls team needs to keep up, and it's possible to staff such a team with people who know how to mitigate phishing attacks when you are one of the largest corporate targets of phishing by volume on the earth.
If you’re trying to decide between electricians but you know nothing about electrical jobs, you’re going to be unable to make any meaningful decision. You’re just going to pick the one that sounds the best.
Heck, you could be using the same mediocre electrician for years and even recommend it to friends because you still have no clue about the workmanship.
What does it mean for the industry to self-regulate? How do you define industry? Is it telecoms, or all tech companies?
Self-regulation has failed because the cost of a data breach remains relatively low compared to implementing security measures, at least on the surface.
Regulation generally is targeted at preventing consumer harm. Self-regulation is the practice of appropriately mitigating consumer harm. I mean mobile subscription providers here by "industry."
I'm not saying I expected self-regulation to work. But, if you are in a position of customers seeing direct harm every day, it's not unreasonable to ask why there is a failure here.