Anonymous Coward
Anonymous Coward
"got sick of telling them what was wrong and not having them fix it"
I don't know the situation with these guys, I'll give them the benefit of the doubt, but that phrase is everything wrong with a lot of cybersecurity professionals in a nutshell...plenty of goons willing to run scans and test 'sploits then suggest insanely expensive mitigations..."Man, that £1m worth of data is exposed it needs to be protected. I recommend this firewall from Ironballs Labs in California, it's only £5m".
Person: building a sandcastle
Cybersecurity: It's shit mate, it's not going to work.
Person: looks confused, doesn't understand
Cybersecurity: Man, I keep telling you it's shit.
Person: sad because his sandcastle fell over
Cybersecurity: See I told you, I've been telling you for ages you need to make your sandcastles better.
Person: Hey man, my goal here was to just have fun and chill out on the beach, a cheap day out. What would you have done?
Cybersecurity: Well, I would have used those boulders over there to fashion a small blast furnace, scavenged for iron ore at the bottom of those cliff and collected all the drift wood over there as fuel.
Person: Man, that's not worth it, I just wanted to build a sandcastle.
Cybersecurity: Why doesn't anyone ever listen?
Usually if a cybersecurity person moans about not being listened to and having their advice ignored, it's an indicator that their proposals for mitigations are just insane.
Yes, security problems can kill your business...but so can overspending on mitigating vulnerabilities that have significantly lower ALE and ARO than the solution costs.
Cybersecurity isn't about "perfect hardened security", it's about balancing risk and cost. You wouldn't protect a £10 note with a £1m vault. Similarly, you wouldn't protect £1m with a £10 petty cash tin. You have to find the balance where the cost is reasonable vs the asset being protected and the risk is sufficiently low that the cost of attacking the asset prevents it being a worthwhile exercise.
Anyone can find a security issue and then suggest the latest and greatest cutting edge security software / hardware to protect the vulnerability...that's the easy part of cybersecurity. The hard part is finding solutions that are feasible and practical that don't result in costs that are higher than the assets are worth.
