so about 7 months ago I rant-tweeted about orgs not really valuing security. I think its time to repeat rant.

In a discussion with one of the people I really respect & look up to in the cybers ( @UK_Daniel_Card), I made a joke about how my clients never really take my advice.

The reality is my rates are not cheap.

Clients can spend a lot of money "buying" my advice/suggestions/whatever.

The fact that they frequently take my [whatever] and ignore it used to frustrate & annoy me. It no longer does that but it does still make me wonder.

No, it is entirely possible that my advice just sucks. I get that. But if this is the problem, then they should stop hiring me or, at least, challenge what I say. I have no hesitation in defending my advice & if I am wrong, I will happily adjust.

The reality is clients continue to hire me. They take my advice enthusiastically. They make all the right noises. Then they don't act on it.

I've had clients where I've been called into indentical-cause incidents 4-5 times over a two year period.

Every time, they get the "lessons learned" and recommended prevention measures. Say "thank you, this is great" and ignore it.

Now, while this is odd, I don't *actually* care (anymore). They can keep paying me if they'd rather do that than fix it.

But it's not just me. I've worked (in several places) with @_switt_ who is arguably one of the best people on Earth in setting up defensive environments & monitoring for evil. I've watched as his awesome suggestions/advice is accepted, then ignored. Just like mine.

The more I think about it, about how organisations have great employees but ignore them, then hire Big4 consultants to say the same thing (and often ignore that as well with all kinds of stupid justifications), the more I think the problem is how security is "valued."

Basically, it isn't.

The lip service matters. Managers need to be seen to do the "right thing" (which is why external consultants get brought in to say the same as in-house staff). Being able to show auditors you have a report matters more than fixing a problem.

This creates an interesting problem - at least for anyone who strives to be good at the job.

All too often clients & hiring managers don't care. They will ignore the report however good it is. A terrifying number of consultants I've worked with have been, basically, incompetent.

But they find work. They find contracts. They find permanent roles. Etc. Being rubbish doesn't matter because the outcome is the same if you are good or bad. For a hiring manager, if someone AWESOME charges £100ph and someone incompetent charges £90ph, its a no-brainer.

Sadly, by no-brainer, I mean saving £10ph is often the business decision. As I said, they are going to ignore the outcome so getting the AWESOME person is literally wasting money. All they need is to have "someone" do "something."
To be clear, this breaks my heart.

So, before its too doom and gloom, not every organisation does this. Also, some who do, don't realise it and the hiring managers genuinely want good advice but they often don't know enough to really tell good from bad. But this is a minority world view.

Infosec (cyber security, IT security, whatever) is a young industry. It's not well understood by clients. It is still full of charlatans and snake oil sellers. Big orgs sell CyberEverything with massive markups using barely skilled staff. It is chaotic.

I hope one day it settles down. That good people become genuinely valued and the [bad|charlatans|asshats] are hounded out.

That day isn't today though.

(</rant>)