The underlying premise of the article, that security is moving in the direction of accounting, I think is insightful. Having been around a few different corporate blocks, I've come across a couple of financial catastrophes, all of which had a nice tidy letter of compliance from their auditors. Of course if you dig into those audits, especially the comments between the auditors and management, then you can get to real meat that gets stripped away for the final report. I do think it is a fair parallel to where we are with security. A lot like an audit, security is often treated as side-show nuisance. We may have employees or consultants raising red flags, but by the time they get to a board-level report, those flags have changed from red to white, where the knowledgeable professionals surrender, often with an "above my pay grade" sigh.
Ultimately, the market drives corporate action, though. In the case of SolarWinds, for example, investors have seemed skittish. Perhaps that reflects the cloud of the SEC investigation. However, Equifax has more than recouped any value it may have lost related to its 2017 breach, which at most seems a blip on its record. Microsoft's blunders regarding its key security and other vulnerabilities seem to have no impact on its stock. We can run on down the line, and it's hard to find a correlation between security incidents and stock price. Perhaps the hidden message is that, like the accounting industry, we in the security industry don't do a good job connecting our metrics to human impact.
