When I was a CISO for a global defense company, I realized that a company of any significant size or complexity could never “do” security for themselves. Why can’t big companies go it alone? Partly because of specific resources and expertise that is not resident in-house and partly because of all the things that compete with delivering security, namely projects, politics, personalities, egos and all the other fun stuff that comes with being in a big company. Political correctness and all of the other impediments of a big company naturally get in the way of delivering actual security. Executives have pet projects that compete with core mission requirements and day to day security falls behind.
Couple that with an executive audience that didn’t grow up with and therefore can’t understand the threat, at least not in a way they can quantify like other business issues, and you have a recipe for excess spending on underperforming solutions. This article makes the point. It’s not the sexiest breach to be reported but I’d argue it’s the kind that most likely applies to the majority of companies. Said another way, this was work that probably could and should have been done by internal resources but there are no villains in the story. Security and IT were probably overworked and delivering some IT projects rather that actually delivering security.
I don’t think this is going to change anytime soon which is why I think deliverables-based engagements with trusted partners are here to stay.