"The primary reason computers are insecure is that most buyers aren’t willing to pay — in money, features, or time to market"
Im not sure this is true. That the market is not producing adequately secured stuff is fact, but... It strikes me as similar to "journalism is broken because people aren't willing to pay for good journalism anymore". Maybe be it's true in a sense, but I don't think it's a useful sense.
It's not like computers come in regular or secure, with a 20% discount on regular. Money is not always a direct lever on things. Some software has crappy UI. This does not generally correlate to UI spending. A much bigger influence is the type of market that software is in. "Enterprise" will likely be much worse than consumer stuff, because of market structure, incentives and hard feedback loops.
Bureaucracy/rules come with costs that can't be easily priced too.
For example, gdpr...
The writer complains that current laws are written from a naive perspective, as if the internet existed within its jurisdiction. That nativity is inherent in regulatory/rule-based systems.
GDPR was written as if it will be written by a person writing software. It's not. It is written by lawyers, hired by companies to "do gdpr." Mostly, lawyers reduced this to paperwork. Policies that must be meticulously written. Checkbox software that must be installed. Agreements with vendors that must be updated.
..All things that cost money, put lawyers and compliance officers in more powerful positions, and do very little to improve user privacy and agency over their data.
If you want to start a company in a regulated market, your first hire is a compliance expert, preferably one with a personal relationship with that specific regulator.
Regulators are process oriented, not results oriented.
For example, let's say some drug is overprescribed. Regulators respond with new small print that must be included in ads. They will meticulously measure "compliance," but may not even take an interest in results. Ie, they may not even check to see if sale/consumption of the overprescribed drug have gone down.
Anyway... Whether through regulation or whatever, security is hard. It is almost always reactive, responding to past crisis.
Personally, I'd start with laws (not regulators) targeting after-the-fact disclosure. I think self reporting is the most useful/successful part of gdpr, for example.
Light helps. It can also create the pressures, incentives and information required for change.
Im not sure this is true. That the market is not producing adequately secured stuff is fact, but... It strikes me as similar to "journalism is broken because people aren't willing to pay for good journalism anymore". Maybe be it's true in a sense, but I don't think it's a useful sense.
It's not like computers come in regular or secure, with a 20% discount on regular. Money is not always a direct lever on things. Some software has crappy UI. This does not generally correlate to UI spending. A much bigger influence is the type of market that software is in. "Enterprise" will likely be much worse than consumer stuff, because of market structure, incentives and hard feedback loops.
Bureaucracy/rules come with costs that can't be easily priced too.
For example, gdpr...
The writer complains that current laws are written from a naive perspective, as if the internet existed within its jurisdiction. That nativity is inherent in regulatory/rule-based systems.
GDPR was written as if it will be written by a person writing software. It's not. It is written by lawyers, hired by companies to "do gdpr." Mostly, lawyers reduced this to paperwork. Policies that must be meticulously written. Checkbox software that must be installed. Agreements with vendors that must be updated.
..All things that cost money, put lawyers and compliance officers in more powerful positions, and do very little to improve user privacy and agency over their data.
If you want to start a company in a regulated market, your first hire is a compliance expert, preferably one with a personal relationship with that specific regulator.
Regulators are process oriented, not results oriented.
For example, let's say some drug is overprescribed. Regulators respond with new small print that must be included in ads. They will meticulously measure "compliance," but may not even take an interest in results. Ie, they may not even check to see if sale/consumption of the overprescribed drug have gone down.
Anyway... Whether through regulation or whatever, security is hard. It is almost always reactive, responding to past crisis.
Personally, I'd start with laws (not regulators) targeting after-the-fact disclosure. I think self reporting is the most useful/successful part of gdpr, for example.
Light helps. It can also create the pressures, incentives and information required for change.