I’m kinda tired of all the, “Solarwinds had poor infosec policy and executive buy in” takes. Not because evidence doesn’t show that they absolutely did.
Because most product companies that size also do, and nobody seems to be recognizing those same flaws in themselves.
Because most product companies that size also do, and nobody seems to be recognizing those same flaws in themselves.
This case should be a big “come to Jesus” moment for a majority of product vendor companies that skimp on security budgets and don’t give security a reasonable priority up to the executive level, but all I see is schadenfreude.
(Or I see the same jaded infosec individual contributions at those companies complaining nothing has changed in back channels.)
It’s easier to lampoon and pile on than to introspect.