As someone who does cybersecurity consulting for govt. contractors, companies invest in security when some external force forces them to, and then they spend the bare minimum to meet whatever that force requires (and they try to get away with less at every opportunity).
Right now in government contracting we’re experiencing this paradigm shift where the NIST-800-171 standard (which everyone was required to follow, but kind of on the honor system) is going to be replaced in 21 months or so by something called CMMC (Cybersecurity Maturity Model Certification). But, CMMC is basically just the same requirements as NIST-800-171, so why?
BECAUSE, everyone just SAYS they’re NIST-800-171 compliant on all their contracts. Everyone self scores themselves on it and gets a WAY higher score than they do when being scored by a 3rd party, and then reports their self scores up the chain. The way this works in both DoD and NASA projects, which is what I’m familiar with, is the big players like Boeing, Northrop Grumman, Raytheon, etc, have thousands of smaller suppliers and those suppliers have smaller suppliers, so the requirements flow down from the govt to the big contractors to the small subcontractors and each link in the chain is responsible for making sure the upstream links are compliant… which they NEVER are, but they all say they are!
Of course, the government KNOWS this is happening, but lacks the resources to do anything about it. So the solution is to make everyone get third party certified that they are compliant. Half that industry is setting themselves up for failure to meet that deadline (which, of course, has already been delayed and pushed back multiple times) and I have a feeling that when small companies start failing their CMMC certs, they’re going to get stern warnings instead of losing their contracts because the government has to buy shit from someone.
When I talk to the money / business people at my clients, this goes in one ear and out the other.
There are wide spread (willful) misconceptions among those folks that cybersecurity is something IT people do and everyone else just does their jobs without having to think about it. I’ve had CEOs say things like “No, we’re not doing that, we can’t work that way.” when I educate them about their requirements… and then look to me to provide the solution where they don’t have to change anything about the way they work and when I can’t, they get frustrated with me and my team. I’ve had them ask me “Well what do the big companies do?” and I say “Look, they actually TRY to do all these things they require you to do and they fail at it ALL the time, but I’ve heard you complain about how their bureaucracy and rules slow everything down and make working with them difficult. A bunch of that stuff IS what they do to deal with this.” And they just don’t believe me. I’ve had CFOs say “We don’t have the budget to do all of this, so which parts are the most important?” and I’ve said “This is the LAW. You’re supposed to do all of it!” But they know and I know that for the time being no one will hold them accountable.
Right now, tons of companies just say “We’re NIST-800-171 compliant” or “We’re working towards NIST-800-171 compliance” and their contracts go forward and they hire someone like me to tell them what to do and then they don’t do 60% of it and delay doing 20% of it.
This is in an industry that is required by law to try extra hard on their security. In industries where there are no such requirements, or less requirements… good luck.