Hacker News new | past | comments | ask | show | jobs | submit login

>I've been asked before to turn off security monitoring systems because executives prefer to not know about vulnerabilities rather than know about them and not be able to fix them.

It's a simple cost-benefit analysis.

Implementing effective security is difficult, time-consuming, and expensive. Ignoring problems costs nothing. Unless it's clear the cost of a breach is higher than the cost of security, corporations will risk a breach every single time.

The ultimate loser here is users, who bear the burden of having their data appropriated and misused. Unless the government steps in and imposes penalties on corporations on behalf of users, they'll continue merrily offloading the risks of poor data security on the general population.

>Ignoring problems costs nothing.

It's not even as simple as this. Sometimes, ignoring problems can actually be cheaper. Public perception, as well as government fines, will often treat companies nicer if they were ignorant to the full breadth of security issues than if they knew about them but did nothing.

It's a failing of our system to be sure. I've been asked to stop doing a security assessment halfway through, because once the client realized that the assessment wasn't going to just be "everything is 100% A-OK!", they didn't want it to be on record. If they were breached, they didn't want any paper trail of the executives knowing about the security vulnerabilities that could increase their liability in court. They preferred to be able to claim ignorance.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact