This reminds me of our own security team, who as far as I can tell do nothing but run POC's of new security tools. And then maybe once a year actually buy one, generating a ton of work (for others) to replace the very similar tool they bought last year. Seems like a good gig.

And the sad/funny thing is that said tool would probably do diddly squat if one employee falls for a social engineering/phishing attack.

Occasionally security products turn into malware delivery platforms as well, because they run very privileged, are sometimes more shoddily developed than what they’re protecting, and have fewer eyeballs on them than the vanilla operating system.

Not to mention they may be another Crypto AG.

> Occasionally

Much more frequently than that if you lump 'anti virus software' in with security products.

As someone who's company just suffered this exact issue, all I can say is yes.

They gave me a laptop with 8gb of ram. The laptop runs invisible security software that nominally takes 6~6.8gb.

We just got penetrated by two attackers in the last 40 days.

> We just got penetrated by two attackers in the last 40 days.

* that you know of

And then when there is a security issue you ask them share the log files from all their spyware and suddenly half the stuff needed is not there because we did not get that module.

Or ‘oh, that feature hasn’t been rolled out yet, expect it in 6 quarters.’.

Ahh, I've been there. I'm sure no concern is given for usability of the result.

Welding your vault shut may make it harder for thieves to break in, but if your business model requires making deposits and withdrawals, it's somewhat less helpful.

Luckily, all but tiny portion of security products have a door you can open if you ask support nicely enough you didn’t know about before. So you can still get your stuff after you weld the door shut.

There's no thought given to if the cost to secure the thing outweighs the risk of exposure?

I’m not privy to those discussions, but it certainly doesn’t feel like they’re happening. We implement every security “best practice,” for every project, no matter how big or small. We have committees to review, but not to assess scope, only to make sure everything is applied to everything. Also, we have multiple overlapping security products on the corporate desktop image. It feels EXACTLY like no one has ever tried to gauge what a compromise might cost.