Hi Simon - thanks for your personal reply!
I’m never quite sure how to deal with these kinds of responses. One the one hand, I have first-hand experience of sitting inside Atlassian Offices, many times, observing abject staff disregard for security. I’ve had forum posts deleted to hide security your problems, I’ve observed YEARS of customer complaints across forums begging you to add security, while at the same time had your company refuse to even look at my own product which immediately solved those problems that all your users were calling out for. Time and time again, nothing I can say or do convinces anyone in Atlassian to fix security problems, or to look at security products, or to make my on-prem Atlassian security add-in available to your cloud users, or even to make minor security-enhancing adjustments to allow vastly improved security options for your users. This is not opinion or rumor or heresay - this is my own personal first-hand observation. Atlassian treats security vendors as “the enemy”, and does everything in its power to stay away from us. To be fair - “Vendor Bashing” is a global problem, but, given that you’re Australian, I’m Australian, and your own CISO at the time was a huge Aussie-Backer - it’s especially saddening.
And then, on the other hand, you say “This isn’t PR” and then post 2 links to PR web pages that I know for certain are a huge misrepresentation of how your staff really behave when the PR folk leave the room.
I spent so much time banging my head against the Atlassian wall, that in the end I just gave up.
I am firmly of the belief that it should NOT be the job of the Vendor to sell you security that you need. It SHOULD BE YOUR JOB to find the most-secure contemporary solutions that adequately protect your users. Unfortunately we don’t see this taking place. e.g. you’d rather use OTP tech from 1984 without paying any attention to its lack of efficacy in 2020, because “that’s what everyone else is doing”. The very idea of getting something that works, even when vendors are slapping you in the face with amazing new products, doesn’t even cross your mind.
Security Culture takes more than a warm fuzzy PR web page - it takes meaningful action, and the courage to think for yourself and work out what is secure and why and how, instead of just copying everyone else. You’ve seen the charts, right? Global security is continually getting worse. You can’t turn that around by copying other people, you need to think, test, and do stuff that works.