Disagree. Security isn’t just about recovery. Say you get breached. Many threat actors are well aware of global privacy laws and exfiltrate data and threaten to release it if not paid the ransom. Some go a step further to notify privacy regulators of the breach to further leverage ransom payment.
Recovery from an encryption event is great and all, but it doesn’t solve the problem of your new regulatory fine and legal problems.
> This brings me back to my original point: Nobody (i.e., business leaders) cares about security. What they care about is avoiding lost revenue due to application downtime, extortion, and lawsuits.
Followed by arguing that fines and reputation loss, under the current status quo, aren't seen by business leaders as being extraordinarily disastrous.
I guess the free market will determine what security is worth. Extortion demands will rise until they stop being paid. Then we will know. Unfortunately the real victims (us) will not be part of the negotiations.
Recovery from an encryption event is great and all, but it doesn’t solve the problem of your new regulatory fine and legal problems.