It's not, though, that's the thing you aren't picking up. Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.
You say that it's about the long term, but within epsilon of nobody has gone out of business or even been seriously impacted by bad security posture. Experian gets wrecked on the regular, but it's not going out of business. Azure springs holes regularly enough that Corey Quinn has an ongoing schtick about it, but Microsoft isn't going out of business, either.
If you want security to be necessary for business, you need to make failing to operate securely a legitimate threat to an organization. Waiting for consumers to act collectively means you'll die of old age before seeing a twitch, so you're really talking about legislation. I would be in favor of this, to be clear--I think we as an industry are bad at cybersecurity, terrible even. But I'm describing what is, not what ought.
Companies go out business because someone from China stole their intellectual property, that isn't uncommon. There are companies like riskiq and bitsight that rank your security posture, which other companies use to decide on giving you their business. If it is between your ransomwared company and the competition, you just lost a business advantage there. Azure and Microsoft are bad example, as is Experian, they don't have much competition. I think the whole ransomware trend has skewed how people think about security. It isn't just outages like the ones caused by ransomware that are a concern, keeping secrets and confidential information from your competition is a big deal. as is the trust of your clients, that you will protect their information.
> Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.
I agree, but that isn't what is being done at most places. Every organization should spend as much as their risk tolerance allows them to do so on security. My problem is with spending as little as possible without getting into legal trouble.
It's not, though, that's the thing you aren't picking up. Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.
You say that it's about the long term, but within epsilon of nobody has gone out of business or even been seriously impacted by bad security posture. Experian gets wrecked on the regular, but it's not going out of business. Azure springs holes regularly enough that Corey Quinn has an ongoing schtick about it, but Microsoft isn't going out of business, either.
If you want security to be necessary for business, you need to make failing to operate securely a legitimate threat to an organization. Waiting for consumers to act collectively means you'll die of old age before seeing a twitch, so you're really talking about legislation. I would be in favor of this, to be clear--I think we as an industry are bad at cybersecurity, terrible even. But I'm describing what is, not what ought.