"Silicon valley entrepreneurs" are doing business in a war zone.
The general security situation is fraught because multiple nation states are at least sheltering and sometimes sponsoring attackers who damage the economy of the opponent.
Despite what narcissistic Zero-to-Oners would tell you, their startups aren't important in the grand scheme of things. Nation states are hacking intelligence agencies, governments, established IT vendors (not startups), power grids, and hospitals in that rough order. Ransomware gangs are hacking companies that have real moneyright now, not lottery tickets pre-IPO. These companies can afford good cybersecurity but don't want to spend more money than the damages they would incur from a successful attack.
> Ransomware gangs are hacking companies that have real money right now, not lottery tickets pre-IPO
Funded startups have a lot of money. Milking money out of startups is a highly profitable market segment. Why would ransom gangs not want to get in on that? They don’t tend to ask for the ransom to be paid in ISOs…
Most startups don't have a ton of data you can encrypt and chokehold them with. If hospitals don't have their medical records then people die. If your startup has to reimage all its laptops and redeploy its application code from github then it's a lost weekend.
> These companies can afford good cybersecurity but don't want to spend more money than the damages they would incur from a successful attack.
A bit off your "real" point: No company should ever spend more mitigating a risk than the potential cost they could incur from the risk. That is just good business, but the reality is that companies generally won't spend more on cybersecurity than their peers (either as a percentage of revenue or percentage of IT spend). Whether that is the proper balance for a risk/spend calculation is the real topic.
The problem is that we can't accurately calculate the probability of a cyber event and the cost impact of that event. So the company is stuck waiting for an attack on themselves or one of their cohorts so they can adjust.
It’s genuinely interesting how poorly companies perform when you gauge their ability to cost out a successful attack. Pre-attack, many seem to make an economic decision not to mitigate it. Post attack, the fifth CISO in four years gets fired, the CEO vows to do better and the cycle repeats all over…
>No company should ever spend more mitigating a risk than the potential cost they could incur from the risk.
I've heard hospital administrators make this argument after I've warned them about their security infrastructure being vulnerable to ransomware. I'm not convinced.
>No company should ever spend more mitigating a risk than the potential cost they could incur from the risk.
basically you summed up the opening scene from the FightClub. The human life cost H millions, so until it is going to kill N such that N * H >= cost of the fix ...
Mostly true, although the ceiling at which you become interesting is dropping for multiple reasons.
Given the time cost of retrofitting effective security, waiting until you become a worthwhile target doesn't work. But hiring secops and spending time on security engineering instead of your product is also deadly to startups. It is another knife-edge for startups to walk.
The general security situation is fraught because multiple nation states are at least sheltering and sometimes sponsoring attackers who damage the economy of the opponent.