I think that when companies sell to the government, there is so much money to be made, and such a huge PR boost, that they are incentivized to cover up the naughty bits (a certain airframe manufacturer, comes to mind).
It can mean anything from concealing slightly embarrassing stuff, to massive, systemic, deliberate, fraud; sometimes, the whole spectrum, over time.
It often seems to encourage a basic corrosion of Integrity and Ethics, at a fundamental cultural level.
When leaders say "Make Security|Quality a priority," but don't actually incentivize it, they set the stage.
For example, routinely (as in what is done every day) rewarding or punishing, based on monetary targets, vs. punishing one or two low-level people, every now and then (when caught), says it all. They are serious about money, and not serious at all, about Security|Quality.
If you want to meet a goal, you need to incentivize it. Carrots work better than sticks. Sales people get a lot of stress, and can get fired easily, but they can also make a great deal of money, if they succeed. Security people don't get fired, if they succeed, and get fired, if they don't. Often, the result of good work is ... nothing ... No breaches, no disasters, no drama. Hard to measure, as well. How to quantify an absence?
Sales: Lots of carrot, and the same stick as everyone else gets. Easy to measure, too.
Security: No carrot. All stick. The stick can be a really big stick, too; with nails driven through it.
I'm really not sure what the answer is, but it's cultural, and cultural change is always the most difficult thing to change.
I think this is sort of it but I don't think it's the carrot that's the problem here. I believe it's the process and yeah ultimately the culture.
I don't think you want sales concerned about security, their focus should and only be on growth. The problem is if you don't give jurisdiction and power to the other side to actually say no this priority (security fix) goes in before work is done on this new feature, then you have an imbalanced system.
If the project manager who is incentivized toward growth is the decision-maker for deciding what is prioritized, well of course naturally you'll have the PM choosing growth over security.
Process needs fixing, give more agency and jurisdiction to the other side to effect change. It's not like security doesn't see what the issues are, it's just the fixes are not prioritized and the culture and process isn't balanced between both.
> I think that when companies sell to the government, there is so much money to be made, and such a huge PR boost, that they are incentivized to cover up the naughty bits (a certain airframe manufacturer, comes to mind).
>
> It can mean anything from concealing slightly embarrassing stuff, to massive, systemic, deliberate, fraud; sometimes, the whole spectrum, over time.
>
> It often seems to encourage a basic corrosion of Integrity and Ethics, at a fundamental cultural level.
>
> When leaders say "Make Security|Quality a priority," but don't actually incentivize it, they set the stage.
>
> For example, routinely (as in what is done every day) rewarding or punishing, based on monetary targets, vs. punishing one or two low-level people, every now and then (when caught), says it all. They are serious about money, and not serious at all, about Security|Quality.
>
> If you want to meet a goal, you need to incentivize it. Carrots work better than sticks. Sales people get a lot of stress, and can get fired easily, but they can also make a great deal of money, if they succeed. Security people don't get fired, if they succeed, and get fired, if they don't. Often, the result of good work is ... nothing ... No breaches, no disasters, no drama. Hard to measure, as well. How to quantify an absence?
>
> Sales: Lots of carrot, and the same stick as everyone else gets. Easy to measure, too.
>
> Security: No carrot. All stick. The stick can be a really big stick, too; with nails driven through it.
>
> I'm really not sure what the answer is, but it's cultural, and cultural change is always the most difficult thing to change.
It can mean anything from concealing slightly embarrassing stuff, to massive, systemic, deliberate, fraud; sometimes, the whole spectrum, over time.
It often seems to encourage a basic corrosion of Integrity and Ethics, at a fundamental cultural level.
When leaders say "Make Security|Quality a priority," but don't actually incentivize it, they set the stage.
For example, routinely (as in what is done every day) rewarding or punishing, based on monetary targets, vs. punishing one or two low-level people, every now and then (when caught), says it all. They are serious about money, and not serious at all, about Security|Quality.
If you want to meet a goal, you need to incentivize it. Carrots work better than sticks. Sales people get a lot of stress, and can get fired easily, but they can also make a great deal of money, if they succeed. Security people don't get fired, if they succeed, and get fired, if they don't. Often, the result of good work is ... nothing ... No breaches, no disasters, no drama. Hard to measure, as well. How to quantify an absence?
Sales: Lots of carrot, and the same stick as everyone else gets. Easy to measure, too.
Security: No carrot. All stick. The stick can be a really big stick, too; with nails driven through it.
I'm really not sure what the answer is, but it's cultural, and cultural change is always the most difficult thing to change.