I almost hope that's going to happen. Why? Because absolute security catastrophes seem to be the only way for companies to start taking security seriously enough. And I'm not just talking about your random IoT/medical device company here. I mean big companies like Google and Microsoft, too.
Google became more serious about security and encryption when it got hacked by the Chinese government. Then against after it discovered that NSA was inside its internal networks. And then upped its game for Android once Stagefright vulnerabilities came to light.
And how many millions of viruses did it take to convince Microsoft to move to at least a security model/architecture like they built in Windows Vista/7?
So perhaps others profiting big from discovering vulnerabilities in companies' products, and then shorting their stock is what's needed for these companies to significantly increase their security across the board.
Is it ideal? Of course not. But if that's what it takes, then so be it. They could go nuts on the security front today, but they don't. They're waiting for the security disasters to happen first.
Security catastrophes are unlikely to be sufficient to make companies take security seriously. After all, the PR damage seems limited (it's hard to blame someone for not understanding something you don't understand yourself), and the damage is often largely to third parties (i.e: customers). The people taking the risks aren't the ones paying the costs. And those paying the costs can't really tell who's taking the risks, nor judge well how it impacts them.
It sort of reminds me of CO2 emmisions - and look how brilliantly that battle is going.
This shorting is much better, actually - it impacts metrics companies actually optimize for, so it may actually affect behavior. Not only that, it allocates money to security research, creating a virtuous circle.
But it's not all roses: it's only going to work as long as there's a stock market impact; and that's eventually dependent on security risks actually affecting the choices buyers make. That is uncertain. Most successful software has almost no competitors; software (well, and IP law) makes it trivial to create lock-in and software is trivial to mass-produce, so underdogs have a terrible time. For example: if you can effectively choose only between iOS and android, then you're likely to make that choice based on just a few of your top priorities (in CS terms: there's at most 1 bit of entropy here). Security may matter, but it's not going to have as much impact as it would in an actual proper market where there's sufficient choice for real competition to emerge.
I almost hope that's going to happen. Why? Because absolute security catastrophes seem to be the only way for companies to start taking security seriously enough. And I'm not just talking about your random IoT/medical device company here. I mean big companies like Google and Microsoft, too.
Google became more serious about security and encryption when it got hacked by the Chinese government. Then against after it discovered that NSA was inside its internal networks. And then upped its game for Android once Stagefright vulnerabilities came to light.
And how many millions of viruses did it take to convince Microsoft to move to at least a security model/architecture like they built in Windows Vista/7?
So perhaps others profiting big from discovering vulnerabilities in companies' products, and then shorting their stock is what's needed for these companies to significantly increase their security across the board.
Is it ideal? Of course not. But if that's what it takes, then so be it. They could go nuts on the security front today, but they don't. They're waiting for the security disasters to happen first.