I’m convinced that the cybersecurity and security research industry is largely a pass-the-blame market. And honestly, that's not a bad thing — it's smart and even necessary. If a publicly traded company suffers a security breach, they can say, "We hired [security firm] to harden our systems — if something went wrong, it’s on them." This way, the company deflects blame, protects its reputation, and keeps shareholders satisfied. All-in-all not a bad strat
The side effect of this process is that if [security firm] is doing their job then the systems do actually get hardened and the number of breaches is reduced as a result. In other words, this machine works as intended.
A common challenge is assessing whether [security firm] did actually do their job, or whether there just weren't any tigers around here in the first place. Hence, SOC2.
Its unfortunately even worse than that, in my opinion. Security is making computers not do things. Software engineers spend much of their day trying to make computers do new things. It is almost necessary that security work adds friction to other work.
So not only is it often difficult to measure the actual impact of a security mitigation, it is often possible (or even easy) to measure the friction caused by a security mitigation. You really need everybody to believe in the necessity of a mitigation or else it becomes incredibly easy to cut.
