I was talking with a colleague (not a security guy) who made the point that in the marketplace it seemed like Apple and Google can do no wrong and Microsoft can do no right. That struck me as interesting because I think the tide is shifted in security, where Microsoft can do no wrong and Apple/Google can do no right.
I don't think either situation is healthy, and generalizations are prone to extremes anyway, but it made me wonder – which situation would you rather be in if you were selling non-security related software (and hardware, I suppose)?
Who is most profitable? Who is in a good position in the most new, high growth markets? Who has a track record of wise R&D spending?
@Alex – Hmmm, are you saying it doesn’t matter? Or that one of my positions drives your set of questions?
You were just asking me who’d I’d rather work for if I wasn’t in Security – and I’m answering that if I weren’t in security, I’m not sure proactive vs. reactive approach to InfoSec in the SDLC would even register in my decision making criteria.
That said, my personality tends towards “problem fixing” so if I were to join a company with a reactive approach, I’d probably want to be part of a project to make it pro-active. But I’d have a very “security must be seamless” mindset. Otherwise, you get lots of (unnecessary) authentication.
I don’t understand your point after asking a question with an hypotheses you don’t trust. I never thought of “security” as something you can easily adjust. To me, assessing the security of a software product or service allows me to understand the maturity of the development team. Ergo, the maturity of the security inside a product should be comparable with its other qualities -no more, no less.