The post traumatic growth after the breach seems to be something ordinary. It reminds me always of Apollo 1 tragedy and how it changed NASA's take on safety and their organizational values. In cases where the safety/security determines achieving the goal the change can be permanent. It'll be embedded into the org. core. But that's not the case in ordinary corporate infosec. Maybe military one.
I think many companies lie to themselves about security by prioritizing <growth|profits|vc-milestones> as reasons not to invest. Agreed with Ron on building security from the start.
I don't have nearly as much experience in the industry as you do. But there's what I've learned so far: It doesn't matter if the customer doesn't want to protect himself because he's skittish or simply unaware of the risks. Often an argument along the lines of “Be lazy - do it now, you'll have less to do.” works. Focus on the low-hanging fruit. Think of it like tackling the most visible weeds first. Basic, fundamental cybersecurity practices offer the biggest bang for your buck.
Indeed. My approach with my clients has always been "build-in security from the start". Sometimes clients are willing, sometimes (more often) they're cheap or misinformed as to the risks. I do try, though...
The post traumatic growth after the breach seems to be something ordinary. It reminds me always of Apollo 1 tragedy and how it changed NASA's take on safety and their organizational values. In cases where the safety/security determines achieving the goal the change can be permanent. It'll be embedded into the org. core. But that's not the case in ordinary corporate infosec. Maybe military one.
I think many companies lie to themselves about security by prioritizing <growth|profits|vc-milestones> as reasons not to invest. Agreed with Ron on building security from the start.
I don't have nearly as much experience in the industry as you do. But there's what I've learned so far: It doesn't matter if the customer doesn't want to protect himself because he's skittish or simply unaware of the risks. Often an argument along the lines of “Be lazy - do it now, you'll have less to do.” works. Focus on the low-hanging fruit. Think of it like tackling the most visible weeds first. Basic, fundamental cybersecurity practices offer the biggest bang for your buck.
Indeed. My approach with my clients has always been "build-in security from the start". Sometimes clients are willing, sometimes (more often) they're cheap or misinformed as to the risks. I do try, though...