Security is always optional

One sad but true fact of working in the security industry is that security is always optional. Particularly in the corporate world. I have worked in businesses which should have been PCI compliant, HIPAA compliant, SOC 2 compliant, etc. Nobody actually enforces this stuff except maybe your own customers who might want to see a report from an auditor in the case of SOC 2 in which case we'll delay that spending until absolutely necessary. Nobody from the DHHS OCR checked up on that electronic health records company to ensure they were HIPAA compliant. Nobody from the credit card processor audited that e-commerce company to ensure that your credit card data was properly protected.

So they chose not to bother. Because they figured they could get away with it and not spend money on security. And guess what? They did get away with it, as far as I can tell.

When times get tough security is almost always the first to go. Recent months have been full of belt-tightening layoffs despite record corporate profits. The line must continue up and to the right and they have largely run out of other ways to do this after a number of very good years. So layoffs it is. Who can we get rid of? Not sales. They are the ones who actually bring in revenue. Not operations/manufacturing/development as they are the ones who actually make what it is that we are selling. How about executive management? Hahahahahahahahah! Good one! Let's can those security dweebs. We'll probably get lucky until our golden parachutes kick in and by the time this place gets pwned we'll be long gone. And so what if our customers data gets stolen? That's an externality. And if we get ransomwared we'll blame an unstoppable nation state actor who perpetrated a "sophisticated cyber attack" against us and hope our cybersecurity insurance will save us (even though we likely don't meet the policy conditions for coverage because we haven't been running an effective security program).

Yes, cybersecurity incidents are all over the news. According to the US Census Bureau 2021 statistics there are 8,278,573,947 establishments (businesses) in the US. And according to a report published by the Identity Theft Resource Center (ITRC) 1,862 data breaches occurred in 2021. So 1,862/8,278,573,947 = 00.00002% chance any one particular company has a data breach. Of course, this isn't scaling for size/impact and any number of other things. Not all of these companies are equally likely targets. But it illustrates the point that they aren't necessarily wrong in their reasoning that they very likely can get away with making at best a token effort at security. No need to hire cybersecurity experts.

And so what if they get breached and their customers personal data gets stolen and sold on the dark web or whatever? That's an externality to them. They'll pay a pittance to get you some "credit monitoring" (not that this will help to claw back your SSN or whatever data was leaked) and call it a day.

Until there is real legislation, enforcement, and consequences for these companies who lets us down security will always be optional in the corporate world. And as such, cybersecurity is seriously lacking in job security.