Security in IT these days is very nearly a house of mirrors.
At a fundamental level, they're practicing security through obscurity because they're afraid that releasing the data tells the bad guys too much. Only after a threat is well understood and they think they have a fix suitable for an AV-type company do they publicly release the data. This seems to apply even when stopping the threat is best done by patching the software.
On one level I understand it and sympathize. On the other hand, it sure seems to make life more difficult on the rest of us.
I'm glad I don't work IN the house of mirrors, and only need to transit it from time to time. I much prefer the clarity of "the magic smoke got out, can you fix it for me?"
Biting the hand that feeds IT
