You're wrong, defenders are not profit centers. You don't expect the security guard for your office building to generate profit, why would you do so for your digital assets? defenders are like lawyers and hr, they are cost centers whose existence is justified because attackers also exist.
> "You can say that security is a feature and a load-bearing one, and I'd agree with you, but not everyone who makes decisions will do the same."
Maybe it is, but I wouldn't put it that way. Security teams exist because people with bad intent that want to harm you exist. Just like lawyers exist because people who sue you (including the government) exist.
Imagine stating "lawyers don't exist to protect from lawsuits", that's how it sounds to me. If defenders aren't there to defend, then their existence isn't justified.
> "Defenders are trying to ship"
Defenders are there so that when other teams who "ship" attempt to do so, they don't get the application, system, company or wherever you have protected data doesn't get compromised. And this is before and after "shipping" or deployment. Security is a cost of business, whose RoI is measured by the fact that you are doing business without getting hacked, nothing more.
> You don't expect the security guard for your office building to generate profit, why would you do so for your digital assets?
Yes, that's why companies cut cost on security guards as much as they possibly can. From the product-making company standpoint security
is a mostly a cost.
Yes it is mostly a cost. Breaches are also a cost. When the homedepot security team tried to fix the issues that got them pwned, the execs said "we're not a security company, we sell hammers". Box ticking mindsets like that are held by incompetent and short sighted executives. The cost of security is decided by the cost of a potential compromise, it has nothing to do with profit margins. A lot of companies learn this lesson the hard way. Many "snakeoil" security companies exist because of this incompetent line of thinking by executives. It is easier to say you paid some company who made some b.s. claim than to actually fix problems, even if the 3rd party costs more than the cost of fixing problems.
In short, what you and OP commenter describe is incompetency, it should not be taken as the default, those are not defenders, those are mismanaged organizations. We're in 2024, every exec should know better.
> In short, what you and OP commenter describe is incompetency, it should not be taken as the default, those are not defenders, those are mismanaged organizations. We're in 2024, every exec should know better.
Everything in life is a trade off, and no-one is in the business of perfect cyber security defense. Therefore, businesses will *always* trade weaker cyber security defense for better/faster/cheaper/easier/more business in their actual line of business. Just like you do every single day. Do you have ALL traffic on your home network encrypted with mutual serve and client certificate verification? Do you only have your 256 character passwords memorized in your head and not stored in a password manager anywhere or otherwise recored somewhere? Are all of your home systems equipped with strict outbound firewall rules that only allow one time, on demand and confirmed communications with the wider internet? Have you hardened your home network against data exfiltration via DNS queries[1]? If you use 2FA for your accounts, and the objectively weaker password managers to store your passwords, are your 2FA tokens kept on completely separate devices from your password managers? Do you only allow direct console access to any of your systems and have no remote access like SSH enabled? Do you a have every single computer backing up their data into multiple redundant copies, without using the network for data transfer and with at least one if not more of those copies stored off site?
If you answered "No" to any of those questions, you also have chosen the route of "incompetency" and "mismanagement". It's 2024, and every IT person should know better. But of course we do "know better" and choose the objectively weaker options anyway because the stronger options get in the way of actually doing the things we want to use our systems for. You don't choose perfect cyber security defense for your home network because you don't have a home network for the purpose of practicing perfect cyber security defense. So it is with businesses, they don't have their systems for the purpose of practicing perfect cyber security defense either.
"Should" doesn't mean much. People respond to incentives. Can you explain the incentive function that exists today in the real world to prioritize the security cost center above the profit center?
I mean, I work at a company that I'd say does a pretty good job of this--in a regulated industry and after getting burned a few times. But you can still go full-send with VP approval, and the risk becomes part of the cost of doing business.
the problem goes even deeper, execs chase short term profits and stock ticker bumps, that's the root cause in my opinion. You shouldn't prioritize security over the main business and profit, that was not my suggestion, but you should prioritize long term profits and reputation (ability to make even more profits in the long term), which is where security comes into play.
In other words, security is necessary for business. Just like how you would want your offices secured from burglars -- because otherwise you can't do business well -- you should want your digital assets secured from hackers, except unlike physical security, it isn't just local malicious actors and competitors after your business but intellectual property thieves, hacktivists, financially motivated cybergangs and more (not just nation state actors).
Failure to give proper priority and funding to cybersecurity, is failure to ensure conditions that make the company profitable and viable in the long term.
It's not, though, that's the thing you aren't picking up. Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.
You say that it's about the long term, but within epsilon of nobody has gone out of business or even been seriously impacted by bad security posture. Experian gets wrecked on the regular, but it's not going out of business. Azure springs holes regularly enough that Corey Quinn has an ongoing schtick about it, but Microsoft isn't going out of business, either.
If you want security to be necessary for business, you need to make failing to operate securely a legitimate threat to an organization. Waiting for consumers to act collectively means you'll die of old age before seeing a twitch, so you're really talking about legislation. I would be in favor of this, to be clear--I think we as an industry are bad at cybersecurity, terrible even. But I'm describing what is, not what ought.
Companies go out business because someone from China stole their intellectual property, that isn't uncommon. There are companies like riskiq and bitsight that rank your security posture, which other companies use to decide on giving you their business. If it is between your ransomwared company and the competition, you just lost a business advantage there. Azure and Microsoft are bad example, as is Experian, they don't have much competition. I think the whole ransomware trend has skewed how people think about security. It isn't just outages like the ones caused by ransomware that are a concern, keeping secrets and confidential information from your competition is a big deal. as is the trust of your clients, that you will protect their information.
> Managing risk to the tolerances necessary to make money is necessary for business. That's what's being done.
I agree, but that isn't what is being done at most places. Every organization should spend as much as their risk tolerance allows them to do so on security. My problem is with spending as little as possible without getting into legal trouble.
> You're wrong, defenders are not profit centers. You don't expect the security guard for your office building to generate profit, why would you do so for your digital assets? defenders are like lawyers and hr, they are cost centers whose existence is justified because attackers also exist.
I didn't say that infosec was a profit center. But they're in tension with profit centers for attention and sway, and by the way--the profit centers are the ones who make money.
I've said it before, I'll say it again: People Respond To Incentives. Lawyers and HR are generally not respected except insofar as they protect companies from visible legal risk, and often not even then. Infosec is so vague as to appear as a tiger rock to people who aren't plugged into it.
> Defenders are there so that when other teams who "ship" attempt to do so, they don't get the application, system, company or wherever you have protected data doesn't get compromised.
Everyone, infosec included, is trying to ship. Shipping is how you make money, make payroll, and keep people employed. You only don't ship when your risk calculus indicates that the cost of not shipping is less than the cost of shipping.
This us-versus-them thing brings us back to "the most secure system in the world is in an unplugged box". But we don't operate businesses off of unplugged boxes. Risk management exists. If this is how you would argue risk management with the median exec I've known, you'd lose. I have skilled infosec friends who've had better success than this through wise process and product choices, though.
> "You can say that security is a feature and a load-bearing one, and I'd agree with you, but not everyone who makes decisions will do the same."
Maybe it is, but I wouldn't put it that way. Security teams exist because people with bad intent that want to harm you exist. Just like lawyers exist because people who sue you (including the government) exist.
Imagine stating "lawyers don't exist to protect from lawsuits", that's how it sounds to me. If defenders aren't there to defend, then their existence isn't justified.
> "Defenders are trying to ship"
Defenders are there so that when other teams who "ship" attempt to do so, they don't get the application, system, company or wherever you have protected data doesn't get compromised. And this is before and after "shipping" or deployment. Security is a cost of business, whose RoI is measured by the fact that you are doing business without getting hacked, nothing more.