> It's probably also hard to know what a good security audit looks like, unless you grasp basic security in the first place.
If you replaced security with accounting, the above still makes sense! Why do companies pay through the nose to get an accounting audit done right, but much less willing to do so for a security audit?
I say the solution is to put the (legal) responsibility to the company. Once there's financial incentive, it becomes a priority.
I'm currently working for a real estate startup and I have to seriously twist their arm to convince them we should authenticate private api requests at all, let alone run vulnerability testing.
If you replaced security with accounting, the above still makes sense! Why do companies pay through the nose to get an accounting audit done right, but much less willing to do so for a security audit?
I say the solution is to put the (legal) responsibility to the company. Once there's financial incentive, it becomes a priority.