Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Duhck 4 hours ago

When I worked in cybersecurity I had a similar realization. No one cared about security posture. They cared about insurance policies. People hired us to shift blame instead of improve security posture. this is not terribly different

leeter 4 hours ago | parent | next [-]

This is why I've said for years: If you want to drive best practices and policy with companies you can only do it with liability. Particularly non-insurable and non-tax deductible liability. If a company can't offload civil or criminal penalties to their insurance company and take the tax write down, they suddenly start caring about it.

That said, this should be used sparingly; as it embeds a behavior deep. If that behavior later no longer makes sense it can be extremely costly to change it later.

robocat 2 hours ago | parent [-]

> Particularly non-insurable and non-tax deductible liability

Too often liabilities exceed assets, or the liabilities are externalised.

Liability doesn't work as an incentive for many risks. For uncommon but extreme risks, it can be better to roll the dice on company failure than regularly pay low amounts for mitigation.

It is especially effective to ignore liabilities when a company has poor profitability anyways.

And then you see major companies sidestep the costs of their liabilities (plenty of examples after security failures, but also companies like Johnson&Johnson).

bjackman 4 hours ago | parent | prev | next [-]

One of my FAANG security projects incidentally helped with some compliance efforts (I made very sure it was incidental, constantly said things like "I am thrilled that I can help you guys achieve your goals but I wanna be clear that I don't give a shit about compliance and I won't be allowing it to influence the direction of my product" in meetings, it must have been extremely annoying to work with me).

At some point I was asked to look over the documents for the compliance definition and it was really hilarious. I had to give my engineering perspective on which aspects of the requirements we were and weren't meeting.

But they were stuff like "you must have logs". "You must authenticate users". "You must log failed authentication attempts".

Did we fulfill these requirements? It's a meaningless question. Unless you were literally running an open door telnet service or something you could interpret the questions so as to support any answer you wanted to give.

So I just had to be like "do you want me to say yes?" and they did, so I said yes. Nothing productive was ever achieved during that engagement.

wccrawford 4 hours ago | parent | prev [-]

I think it's subtly different than that.

Companies do want to be secure. They try, and they often fail because it's hard.

They hire auditors to find problems and to shift blame. But since they only have 30 days to fix the problems that are found, it's going to see a lot like they only care about shifting the blame. Because at that point, they only care about passing that audit.

Right after that, though, they start caring about security again.

How do I know? 19 years experience going through those audits on the company side. For 11 months of the year, it was clear the boss cared about security. For that 1 month during the 'free retest' period, they only cared about passing that audit.