NewsGoth Condensed (if you know you know)
Retired CISSP. Reformed former CISO. Also an architect, strategist, and risk manager. Radio nut and font fanatic.
I don’t do LinkedIn or most other social media. I am on Bluesky, same handle. I might mention my website occasionally.
- 0 Posts
- 1 Comment
Joined 3 years ago
Cake day: November 19th, 2022
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
@gcluley@mastodon.green As someone who tried to do third-party security in several companies, I can tell you that most companies don’t care about it unless they’re forced to do so, by regulation or contract. At best, without those mandates, companies pay lip service. But the incentives are misaligned. If you’re the third-party security guy, you’re viewed as a roadblock. The third party has no incentive to give you visibility into their practices; your company’s sponsor for the third-party relationship has minimal incentive to back you up. Instead, that sponsor usually takes the side of the third party. It is a thankless and frustrating position to be in. (That’s true even if you have strong CISO support, which I was fortunate to have.) When the third party has a breach, the sponsor of that relationship rarely pays any kind of price. Often, they’ve moved on to the next thing. Maybe they even got a promotion out of it.