Steve Jones - SSC Editor (4/24/2014)
jarick 15608 (4/24/2014)
The push needs to come from someone in senior management with some security smarts. In my experience, very few executives have this knowledge.
In my opinion, the push needs to come from insurance companies. Until people are sued for a lack of security in their software, it's unlikely anything will change. Once insurance companies can charge more for poorly written software insurance, we'll see a shift.
So you're saying that an increase in lawsuits will compell companies to purchase something like errors and omissions insurance, and then insurance providers will assume the role of performing security audits for the purpose of adjusting rates based on assessed risk; sort of like auto or life insurance?
Perhaps having the insurance industry assume the role of performing IT security audits isn't such a bad idea. They are a 3rd party with a balanced incentive to both acquire business while at the same time minimizing risk. They would probably do a better job at it than internal or government auditers.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho