Hacker News new | past | comments | ask | show | jobs | submit login

> more scared of failing an audit than they are of the consequences failure of the underlying systems the audits are supposed to be protecting.

Duh, else there would be no need to audit them to force compliance, they'd just do it by themselves. The only reason it needs forcing is that they otherwise aren't motivated enough.




Good point. But the audit seems useless now. It's supposed to prevent the carelessness from causing... this thing that happened anyway.

Sure, maybe it prevented even more events like this from happening. But still.


> Good point. But the audit seems useless now. It's supposed to prevent the carelessness from causing... this thing that happened anyway.

> Sure, maybe it prevented even more events like this from happening. But still.

Because the point of audit is not to prevent hacks, it's to prove that you did your due diligence to not get hacked, so fact that hack happened is not your fault.

You can hide under umbrella of "sometimes hacks happen no matter what you do".


CYA is the reason you do the audit. But the reason for the audit's existence and requirement is definitely so that hacks don't happen. Don't tell me regulatory agencies require things so that companies can hide behind them.


The reason for the audit's existence is CYA one level above. The chain ends with a politician's CYA in front of the electorate.


To be fair, I'd claim that it's pretty rare for anything anyone ever does to not be a trade-off.


Audit is papering over the problem rather than fixing it. The only way to make them responsible is to put real liability on them.


Who is them though? The airport that used this software? You can't put all the blame on the software vendor. It can be a good and useful component when not relied on exclusively for the functioning of the airport. Not relying on a single point of failure should be the responsibility of the business customer who knows the business context and requirements.

You will have each company person pointing at the others. That's why you have contracts in place.

You won't ever have real consequences for executives and real decision makers and stakeholders because the same kind of people make the laws. They are friends, revolving door etc.


There's no responsibility at any level, is the thing. Those people who couldn't fly might get a rebooking and some vouchers sent out to them, but they won't really get made whole. The airport knows they won't really be on the hook, so they don't demand real responsibility from their vendors, and so on.


In the grand scheme of things, being able to fly around the globe at these prices is a pretty good deal, even with these rare events taken into account. It's not like the planes fell out of the sky. If you must must definitely be somewhere at a time, plan to arrive one or two days earlier.


The dynamic between compliance and operational integrity




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: