I figure its the same reason behind similar issues all across different industries right now, as well as why there's so few jobs in general:
a race to the bottom in terms of miniscule budgets, overtaxing employees with job creep, a flippant attitude towards preventative measures for saving/making money you can report to shareholders today, etc. Too many people I know, myself included, have realized post-pandemic jobs make you do the work of 3 people while you get "sorry, we just don't have the time or money to pay you properly" if you protest. I wouldn't be surprised if the team for this massive institution is like, 5 guys in a room who work 15 hours a day, subsist off of energy drinks, catered sandwiches, hustlemaxxing youtubers and ketamine
I wonder what the tipping point is going to be? Will there ever be one, or will people just keep getting squeezed until they burn out and die, only to be replaced?
Because they cost time and money to implement and there is no incentive to avoid data breaches. This should be up to legislation, if we as a society actually care about privacy we need to give data privacy laws some teeth and start really enforcing them.
I’m sorry but sometimes it’s not money, it’s employees who are malevolently careless. Yes, you can spend huge sums of money locking up their computer so much that it would require 5 or 10 people to do the job of one because they only have a text editor, but we should also get into law that installing a remote desktop incurs liability on the employee side. I won’t say get the company off the hook, but employees are actively malevolent.
Without needing the Fight Club scene, "because the current [US] regulatory penalties are tiny, even when hundreds of millions of people's data is compromised. And there are rarely criminal charges against the executives of the companies who leaked the data". Until Congress legislates any solution.
If a CTO risks prison and having a criminal record because someone made a mistake, not too many people are going to want to be CTOs. Or you'll have to pay them a lot more.
a) "someone made a mistake" is not a good-faith characterization of "your software does not allow customers to mandate MFA organization-wide and audit that, you never fix that even though you market the capability, you're fully aware many of your customers are still only using 1FA and you continue to allow them to do that for months(/years?) even as you become aware other customers' credentials are being stolen by infostealers, (possibly in some cases from the same contractor laptop working for multiple customers, or at least on the same network/ at the same IT company)". Was it negligence? gross negligence? by which parties? I'm sure that will be argued for years (look how long the 9/11 insurance lawsuits took). But "someone [one single person] made a mistake [one mistake]" it ain't.
b) unclear are you talking about the Snowflake CTO(/CEO/COO/CIO/CMO/General Counsel) or their customers' executives; where did anyone say it was the Snowflake CTO's sole responsibility, or sole responsibility of any single executive? There will presumably be Congressional hearings as well as an SEC inquiry, truckloads of civil suits, plus tech journalist coverage. Their customers' cyberinsurance might well decline to pay out, more lawsuits. I wouldn't jump to conclusions until those facts are in. But in the meantime likely the stock market will deliver a financial verdict much sooner, and Snowflake might have to change executives, or get acquired, or worse.
c) But the general proposition that management isn't a consequence-free country-club environment seems fairly self-evident.
d) Not too many people should want to be CEOs or COOs or CTOs of a large company (or be considered qualified or competent to), if they might be held responsible for negligence or criminal wrongdoing. Boeing and SVB both spring to mind, and we don't have the facts on those either. Monsanto/Roundup, 3M/PFAS, Sackler/opioids also.
e) But executives being held [civilly or even criminally] responsible in extreme cases is not an existential problem like you're suggesting, because the market will figure out how much to compensate them. If a good CTO by their actions avoids $10m losses or reputational damage or lost customers every year, you could still pay them a lot while saving money, right? The case has been made that huge executive golden parachutes are a terrible practice, and that higher executive base compensation is better.
You wouldn't dispute that Sarbanes-Oxley was on balance a good thing? CEOs and CFOs know if they sign off on outright fraud, they could go to jail. Actual Sarbanes-Oxley prosecutions are very rare, but that's because it's having a deterrent effect.
Authentication, 2FA by SMS (going to a personal cellphone on a monthly contract), SIM-stealing, auditing whether MFA is in fact happening organization-wide etc. all seem to be in the news constantly. If Congress wants to get in a moral panic about TikTok, maybe they could spare a session or two for this.
