Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The problem with paying for good security is that it's very difficult for non-security experts to evaluate the genuinely effective ways to do that.

Is buying antivirus "paying for good security"? Hiring the first security firm that showed up in a Google search?

If you advertise for a security person to join your company, how do you effectively interview candidates?



No F500 tier executive is doing that.

They paid Accenture and Gartner to tell them what to do.

Ditto for having them set up a security organization -- get Accenture to sit a temporary CISO, hire some people, and then fuck off. Hopefully the replacements work!

Mom and Pop shops might use Google, but in 2024 they're usually using whatever the local, oversubscribed MSP is selling.


and the problem there (as I see it) is that they don't care about security, they care about passing their audit.

"Passing our audit" has been presented with measurable consequences (cannot sell to customers) and finite, well-defined actions (this is what the audit list looks like).

What I'd like (the goal of the follow up article, coming soon) is to present the value of security in a way that makes the justification of the effort viable and palatable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: