
Ask HN: Would you work for Equifax (or the likes?) - Bhilai
The Equifax hack(s) have resulted in impassioned discussions on security, patching and due diligence in general. Many CISOs and security stalwarts have had a lot to say on the matter and yet we don&#x27;t see any security leaders actually wanting to work at companies like Equifax.<p>So I am curious to learn what would it take for the security champions to be enticed into working for Equifax et al.
======
lostdog
Glassdoor says that a Senior Security Enginner salary is $110k at Equifax. The
reviews say things like "Bad Reputation, Business emphasizes revenue over
quality" and "Most work is performed offshore, Poor strategy from Management".

Equifax failed at security because Equifax's leadership doesn't care. They
will only be convinced by seeing revenue drop or incurring larger penalties
from the government. Revenue will not drop because the affected people are not
paying customers. Penalties will not increase because the current political
climate is "All regulations are bad" when it should be "Bad regulations are
bad; Good regulations are good."

~~~
robotfactory
I'm a Security Engineer and there's no way in heck I would work for Equifax
for $110k. Not after their disaster.

The problem at a lot of businesses is security has no tangible ROI. You're not
going to make a million bucks because you implemented a new SIEM.

The value of security is hidden. It prevents you from having loss. It's hard
to quantify the value when your job is, essentially, preventing bad things
from happening.

~~~
andrei_says_
I wonder if there would be value in preventing bad things happening to people
and institutions which are trying to decide if they should give credit to
someone. As in, if a certain individual is credit-worthy. Maybe a score could
be calculated by an entity which has access to the outcome of every person’s
relationship with credit in the past.

But it would be beyond ironic if such an institution, selling a sense of
security as their main product, could not see the value in protecting the
security of their own assets.

It would be also sad that in a myopic attempt to squeeze every single penny in
profit, such a company would underpay the very people who run the machinery it
is built on.

------
dylz
Probably something akin to "as a CISO, if I'm hired here, I expect all levels,
onshore and off, including executives to follow these new security policies
and plans, putting features on hold to do security review, audit, and rewrites
- and anyone actively refusing to participate or trying to put bullshit first
will be terminated immediately; teams are expected to cooperate in this regard
or else same" in addition to an absurd sack of liability money.

------
tabeth
I imagine getting any security best practices (as defined by the employee)
implemented to be as much as a political challenge as it is technical.

With that said, most technical people don't want to be politicians.

