> The risk of ZScaler being a central point of failure is not considered. But - the risk of failing the compliance checkbox it satisfies is paramount.
You're conflating Risk and Impact, and you're not considering the target of that Risk and that Impact.
Failing an audit:
1. Risk: high (audits happen all the time)
2. Impact to business: minimal (audits are failed all the time and then rectified)
3. Impact to manager: high (manager gets dinged for a failing audit).
Compare with failing an actual threat/intrusion:
1. Risk: low (so few companies get hacked)
2. Impact to business: extremely high
3. Impact to manager: minimal, if audits were all passed.
Now, with that perspective, how do you expect a rational person to behave?
[EDIT: as some replies pointed out, I stupidly wrote "Risk" instead of "Odds" (or "Chance"). Risk is, of course, the expected value, which is probability X impact. My post would make a lot more sense if you mentally replace "Risk" with "probability".]
I manage IT at a mid-size business. At least once a month, I get asked to release some incoming email from quarantine that got sent there because the sender's SPF record is wrong or outdated and doesn't include all the email services they actually use. (What this really tells me is how many small businesses are out there running with no in-house IT expertise or support of any kind.)
I don't do whitelisting. Instead, I always reach out and offer to help the other party correct their SPF record.
It happens often enough that I wrote a script in Racket that will generate the email for me and paste it into the clipboard [1]. The email tells them exactly what they need to change, and links to docs from their current email provider (so they don't have to trust me about edits to their DNS).
As a pedantic HN commentator, although I'm willing to believe the author of the review has taught Spinoza, they seem to be guilty as well of their own charges: in particular, "In Spinoza, God is all things, as opposed to God being a higher order of being from which all things emanate" is what secondary sources would have one believe about Spinoza.
(There is a formalisation of Spinoza in there somewhere; being an HN commentator, I believe I may have a better one, but as I've been faffing about* too much on HN instead of trying it it has yet to be written down. To this particular point: in Spinoza, some things are dependent upon other things, and all things are dependent upon God, but God only depends upon God, so we can clearly say (a) God is not all things [having a difference which witnesses the inequality] and (b) God is a universal [for any metaphysical x, x transitively depends upon God], and can arguably say (c) "[whether] God or all things" is metonymy, for there is a 1:1 relationship [in Spinoza but not in Aquinas] between creator and creation. Can we draw any connections to buddhist philosophy?)
* my current nerd-snipe is a decrypt; anyone have hints as to the steganography in:
BEARER IS A FRIEND. I CANNOT WRITE MUCH. WILL YOU BE READY TO MEET A TRUSTED INTERMEDIARY SO YOU CAN GIVE ALL NECESSARY DOCUMENTS TO HIM NEXT WEEK? I HAVE NOTHING MORE TO SAY.
I don’t know in practical terms how Apple does it, I only know that they must do it because otherwise they couldn’t produce an artifact as complex as the iPhone. You can know for a fact they utilize modularity by opening up an iPhone and seeing… modules! A few things to read in the general area of this theory though…
An actual book that’s a bit broader but touches on system coupling/decoupling and is very practical for software people: Wiring the Winning Organization by Gene Kim
An excellent, very approachable primer on the overarching field of thought, which is systems theory, is Donella Meadows’ “Thinking in Systems”
Going back to more of the philosophical foundation (along with other valuable business ethics lessons), you should look into the work of W Edwards Deming and his “System of Profound Knowledge” — sounds pretentious but is EXTREMELY practical. This region of thought forms the basis of e.g. the Toyota Production System
And an absolutely excellent but more academic deep dive into precisely this topic of modularity is Carliss Baldwin’s “Design Rules.” It’s sort of a super-theory of Conway’s Law, but in a book-length argument.
You're conflating Risk and Impact, and you're not considering the target of that Risk and that Impact.
Failing an audit:
1. Risk: high (audits happen all the time)
2. Impact to business: minimal (audits are failed all the time and then rectified)
3. Impact to manager: high (manager gets dinged for a failing audit).
Compare with failing an actual threat/intrusion:
1. Risk: low (so few companies get hacked)
2. Impact to business: extremely high
3. Impact to manager: minimal, if audits were all passed.
Now, with that perspective, how do you expect a rational person to behave?
[EDIT: as some replies pointed out, I stupidly wrote "Risk" instead of "Odds" (or "Chance"). Risk is, of course, the expected value, which is probability X impact. My post would make a lot more sense if you mentally replace "Risk" with "probability".]