Hacker News new | comments | show | ask | jobs | submit login
Ask HN: Would you work for Equifax (or the likes?)
6 points by Bhilai 11 months ago | hide | past | web | favorite | 5 comments
The Equifax hack(s) have resulted in impassioned discussions on security, patching and due diligence in general. Many CISOs and security stalwarts have had a lot to say on the matter and yet we don't see any security leaders actually wanting to work at companies like Equifax.

So I am curious to learn what would it take for the security champions to be enticed into working for Equifax et al.

Glassdoor says that a Senior Security Enginner salary is $110k at Equifax. The reviews say things like "Bad Reputation, Business emphasizes revenue over quality" and "Most work is performed offshore, Poor strategy from Management".

Equifax failed at security because Equifax's leadership doesn't care. They will only be convinced by seeing revenue drop or incurring larger penalties from the government. Revenue will not drop because the affected people are not paying customers. Penalties will not increase because the current political climate is "All regulations are bad" when it should be "Bad regulations are bad; Good regulations are good."

I'm a Security Engineer and there's no way in heck I would work for Equifax for $110k. Not after their disaster.

The problem at a lot of businesses is security has no tangible ROI. You're not going to make a million bucks because you implemented a new SIEM.

The value of security is hidden. It prevents you from having loss. It's hard to quantify the value when your job is, essentially, preventing bad things from happening.

I wonder if there would be value in preventing bad things happening to people and institutions which are trying to decide if they should give credit to someone. As in, if a certain individual is credit-worthy. Maybe a score could be calculated by an entity which has access to the outcome of every person’s relationship with credit in the past.

But it would be beyond ironic if such an institution, selling a sense of security as their main product, could not see the value in protecting the security of their own assets.

It would be also sad that in a myopic attempt to squeeze every single penny in profit, such a company would underpay the very people who run the machinery it is built on.

Probably something akin to "as a CISO, if I'm hired here, I expect all levels, onshore and off, including executives to follow these new security policies and plans, putting features on hold to do security review, audit, and rewrites - and anyone actively refusing to participate or trying to put bullshit first will be terminated immediately; teams are expected to cooperate in this regard or else same" in addition to an absurd sack of liability money.

I imagine getting any security best practices (as defined by the employee) implemented to be as much as a political challenge as it is technical.

With that said, most technical people don't want to be politicians.

Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact