Quote:
Originally Posted by zx10guy
This crap is going to continue until there are fines and penalties (which may be as extreme as jail time) for critical industries to put money into INFOSEC. No one is talking about this. I've been harping about this for a long time both in various online forums and with my job as a technology advisor for various clients. These rules need to be similar to HIPAA, PCI, and FedRAMP.
Talking about beefing up security is not going to do a damn thing as putting money into security doesn't reflect in the balance sheets or ROI of executives. But what will is if they don't upgrade their systems to established minimum guidelines that those making decisions on implementation and budgeting get fined personally or thrown in jail. I bet you this whole thing will turn around within in a few months. I don't need to go that far back to bring up a classic example of the failure of how things are being done by bringing up Equifax. The idiots in management knew they had vulnerabilities in their systems and chose not to patch their systems.
|
You can make up a bunch of laws, rules, requirements, but if the person implementing them is nothing more than a button pushing monkey that doesn't understand aspects of how systems work and work together, this will always continue.
Laws/regulations/PCI/HIPPA all lag technology and are written by bureaucrats, not intelligent computer engineers. (yes, there is a HUGE difference between an IT weenie and a computer engineer). IT management is excited in nothing but reading blogs and the latest IT buzzword.
I've seen all of this first hand in commercial industry.
There are good people but for the most part it's a mess.