clarry: Being a security expert does not make them an authority on corporate law. On the contrary, I would totally expect most software & security people to completely buy the often parroted myth that corporations are legally bound to maximize shareholder value. I would expect this to slowly change as companies come out of the 70s and start thinking different:
https://opportunity.businessroundtable.org/ourcommitment/
Even if he did not believe that myth, I could see him taking the viewpoint of a greedy board member whose bonuses do not depend on doing the right thing (or doing security right) but on making more money.
To the contrary, I think that outside of management, software people are among the people who are in the best of positions to observe the contradictions between the image corporations project and what it actually prioritizes when pushes comes to shove. As a software developer, I've seen a lot of things.
And as someone who helps manage security for a lot more companies, Bruce has seen even more.
After all, even when they are not selling software themselves, all companies depend on software to manage the minutae of their operations and people developing/operating the software are in a good position to understand the company pretty intimately (the good, the bad and the ugly) in a way that most outside analysts might not be able to.
In the same way that royalty could not hide a whole lot from their servants, you can't hide a whole lot from people who manage your software which is an important reason why they tend to have to sign NDAs.
Working for a lot of software companies have given me significant insight into the plans of various companies I worked for and how they tend to think in general.
Similarly, you can bet that while the community was taken aback over the years by certain choices GOG made, the software developer working on GOG's website and Galaxy knew all along where this was going. Having been in a similar position, I've sometimes wished I could talk to their developers to know where all this was going honestly. They know.
clarry: Do you happen to have one example of actual legal text rather than opinion?
I have a lot of juicy morsels as an insider, yes, but NDAs tie my hands here. Trust me, it's not good.
Otherwise, it's really really hard to defend that publicly traded companies are not primarily profit-driven entities if you follow things. However, giving more specific examples would lead to a more political discussion (ie, it would make certain places and certain companies look bad), so I won't go there here. It's not the right forum for that discussion.
clarry: It sounds like you're arguing a different point now. You're arguing that companies cut corners because doing everything right costs time and money. I'm 100% with you on that. It's a question of time, resources, and incentives. It's decidedly not a question of "literally bound to do everything in their power to maximize investor revenue."
Well, maximizing revenues has two important components: Maximizing the revenues themselves and cutting costs.
So yes, cutting corners is to maximize profits.
clarry: 0) the primary decision an investor makes is whether to invest in a company or not (company is already expected to be on the right growth trajectory or ethical standard by the time the decision to invest is made)
1) investors are in the business of trading, not in the business of running a company. they don't have time and field expertise to be sitting in meetings and making decisions for the company
2) hence, expertise is deferred to the executives (and to their subordinates, recursively)
3) executives have the duty to keep shareholders in the loop, but this is mainly about the big picture and financials; investors want to know how the company is doing so they can make the right trading decisions. these are all public reports and briefs and calls
4) shareholders vote in elections and if shit really hits the fan, they can replace board members.. but these decisions are very far removed from day to day operations and the general way in which the business behaves
There will be no meeting with shareholders where the shareholders decide that let's neglect security and use the saved monies to pay us bigger dividends.
The situation can be a little different for small companies and startups funded by private money, but we weren't talking about those anyway so..
Precisely. The investors tend not to be be invested in the minutae of managing the company. The investors tend to be invested in profits (either in the form of growth of dividens).
This in turns push the agenda all the way down from the boad members to executives to lower-level managers that tell the software engineers to cut corner with security (and everybody is watching everybody else to push that agenda forward). Again, I can't give you specifics, but I know, I've had a front row seat to observe some truly horrible decision-making there. The software industry is the wild west right now and I really hope that regulators eventually come down hard on it, but for the most part, that push won't come from software companies.
