Comment by j45

Comment by j45 17 hours ago

5 replies

View on Hacker News

It's not corporate IT's fault, it's usually corporate leaderships fault who often cosplay leading technology and not understanding it.

Wherever Tech is a first class citizen and seat at the corporate table, it can be different.

michaelt 17 hours ago

Believe me, the average Fortune 500 CEO does not know or care what “SSL MITM” is, or whether passwords should contain symbols and be changed monthly, or what the difference is between ‘VPN’ and ‘Zero Trust’.

They delegate that stuff. To the corporate IT department.

Reply View 3 replies
  • esseph 17 hours ago

    But they also say "Here, this is Sarah your auditor. Answer these questions and resolve the findings." - every year

    It's all CyberSecurity insurance compliance that in many cases deviates from security best practices.

    Reply View 2 replies
    • cogman10 17 hours ago

      This is where the problems come from. Auditors are definitely what ultimately causes IT departments to make dumb decisions.

      For example, we got dinged on an audit because instead of using RSA4096, we used ed25519. I kid you not, their main complaint was there wasn't enough bits which meant it wasn't secure.

      Auditors are snake oil salesman.

      Reply View 0 replies
    • RankingMember 17 hours ago

      This is 100% it- the auditor is confirming the system is configured to a set of requirements, and those requirements are rarely in lockstep with actual best practices.

      Reply View 0 replies
pmontra 17 hours ago

Sometimes they have checkboxes to tick in some compliance document and they must run the software that let them tick those checkboxes, no exceptions, because those compliances allow the company to be on the market. Regulatory captures, etc.

Reply View 0 replies