undefined | Better HN

0 pointstoofy7y ago0 comments

It’s a whole lot of things, but first and foremost and probably the simplest explanation, security is hard. Incredibly hard.

Once you understand how difficult attack mitigation is, then you can pick and choose from a variety of factors:

- executives may not have a realistic understanding of how difficult attack mitigation is so they don’t allocate the resources for hiring

- incompetent admins overestimating their abilities

- competent admins who are underfunded

- incompetent admins who underestimate the value of the data they’re protecting

- competetent admins who may not have an accurate picture of what data they’re trying to protect so their threat model is flawed due to inaccurate information

- executives who are aware of how difficult mitigation is but don’t place customer data privacy as a priority.

- the current iteration of our growth obsessed corporate models unintentionally results in a race to the bottom in many ways.

- little incentive for companies to factor in social impacts as we don’t yet seem inclined to figure out a way to include impacts on society as one of the many metrics to measure a company’s success or failures.

It’s worth remembering though, even the most responsible, most well funded, most security conscious, and best staffed organizations have been compromised at one point or another—security is hard.

0 comments

closeparen7y ago

An organization running original software on the internet first needs to be preventing vulnerabilities in its own codebase. Nothing “admins” do is going to help much if the application itself is full of SQL injection and direct object reference. You can have impeccable configuration, firewalls, etc. and not even be playing the game.

toofyOP7y ago

Absolutely. Apologies if I indicated my list were the only possible issues at play.

jbottoms7y ago

Security is not too difficult on a decent network. There are several that meet Federal requirements. The problem is that the Web design was leaky in the first place. The companies that specified it wanted free flowing data above all else with authenication behind the firewall. But the W3c browser is not secure. Tim's comments notwithstanding, this occurred on his watch. We're due for a serious network, not another toy.

j / k navigate · click thread line to collapse