The problem with cybersecurity is that it’s ruled by pajeets and lawyers. The lawyers know nothing about cybersecurity because they’re lawyers. They just want legal assurances, so they demand company certifications (ISO standards) and they don’t care about anything else. The pajeets in IT / security roles know nothing about cybersecurity because they’re pajeets. They’re also lazy, so security means mindlessly following a check list and crippling the company by shutting down essential services even though the full docs say not to do that. Some of the sketchy monitoring software they install makes the company even more vulnerable and they don’t care. They just act important (they’re narcissists) and probably sell the company’s data on the side (they’re also corrupt).