alt Hacker NewsThe most unfortunate thing about much of corporate 'cybersecurity' is that it combines expensive and encumbering theatre around compliance and deniability... with ridiculously insecure practices.
Imagine, for example, if more companies would hire for software developers and production infrastructure experts who build secure systems.
But most don't much care about security: they want their compliances, they may or may not detect and report the inevitable breaches, and the CISO is paid to be the fall-person, because the CEO totally doesn't care.
Now we're getting cottage industries and consortia theatre around things like why something that should be a static HTML Web page is pulling in 200 packages from NPM, and now you need bold third-party solutions to combat all the bad actors and defective code that invites.
> Imagine, for example, if more companies would hire for software developers and production infrastructure experts who build secure systems.
I do imagine that, and they get hacked (because you have to get lucky every time, but the hackers only need to get lucky once), and then the press says "were you doing all the things the whole industry says to do?" and they say "no, but we were actually secure!" and the press goes "well no you weren't, you got hacked, and you weren't even doing the bare minimum!" and then the company is never heard of again.