(no title)

Companies in general do not really care. I've been on the inside, the infrastructure guy who knows what's actually being done to implement proper security and who's responsible for a lot of it. Companies care much more about the next set of features, the next release, the next big deal that will change everything, the sales goals for this quarter. They may even care about "usability", the latest site re-design, "user stories".

Security is always the very last thing they care about, until there's a huge very costly breach. Then they care for 2 months, and I get to actually work on the security stuff, and get other developers to cooperate, and clean up the known messes left all over in the typical mad dash of feature addition and replacement. Then it's all forgotten about again.

They should say "we suck, we focused 100% on features and market share, we know now what's important", and they should get security right. It does kinda suck that the market often rewards companies that prioritize all else above security, and I wish such companies all the damage a breach can cause. Otherwise, there's no reason to not suck at security.

They should just be honest: "This is what happens when you make a product people love. It's insecure and data is lost and service is interrupted. But you all love it so thanks :)". People should not be under the illusion that their favored products and services are secure. They should know they love insecure shit.

"Caring" doesn't matter though, only execution does. Everyone cares about obvious things that people should care about, it doesn't matter though if you fail at what you are supposed to do. Only execution matters in business.

Still it's a well taken point - if you ask most any company if they want to drop the latest project and work on security instead they'd tell you in polite business terms to fuck off. I've had executives try to argue with me - "But nobody knows the URL!" to justify not allocating even the smallest of resources to fix security problems.

You really need a good security guy who can be the bad guy and stop projects in their tracks when it's clear there are security issues. Because asking the same people who are accountable for shipping to stop the presses to fix even the obvious shit you already know about is a challenge - much less investing resources in 'shoring up' against attacks you don't anticipate.

It's not like someone is saying that the companies have board meetings where they decide to be evil or do stupid things. But they DO decide on budgets that in the end means that there isn't enough time and/or resources to do more than the bare minimum.

If there are people that truly do care, they should stand up in the early process and make sure enough budget is allocated.

Maybe "we are sorry this happened and are working to improve" and leave it that that?

The criticism is of the emptiness of the PR-written responses. A few people at a company being "pretty upset" about a security breach doesn't mean the company actually takes security seriously. Responses like this are fairly obviously canned and insincere, and are designed to deflect criticism of companies' actual security practices.

Do you think Sony took security seriously? If not, is "we take security seriously" something they should say?