Back in my day we used to call it "IT security", and nobody gave a poop about this. Then hack after hack after hack, costing $bn and people woke up to the need of IT security and IT audit.
But hey, nobody wants to admit that they fell asleep on the wheel. Then suddenly "IT security" was dead and "Cybersecurity" was born.
I get your feelings. Some organizations have the wisdom to give the CISO a chair on the big table, and some others prefer the quick buck at the risk of the big disaster. There is no correct answer on this. Their company = their choice. We can only chose to not-shop-from or not-work there.
Don't think of infrastructure as "one big thing". Consider that it was being secured one-asset-at-a-time. So, one server = 1 server hardening = Farm/WLAN+Firewall+IPS+IDS+Vuln+PenTest. And then you automate. One of my favorite mottos are "set it and forget it" (but set it right, automate the tasks and review schedulers and results thoroughly).
So yes.. it can be done, good and well, it can add value/reduce risk.
But hey, nobody wants to admit that they fell asleep on the wheel. Then suddenly "IT security" was dead and "Cybersecurity" was born.
I get your feelings. Some organizations have the wisdom to give the CISO a chair on the big table, and some others prefer the quick buck at the risk of the big disaster. There is no correct answer on this. Their company = their choice. We can only chose to not-shop-from or not-work there.
Don't think of infrastructure as "one big thing". Consider that it was being secured one-asset-at-a-time. So, one server = 1 server hardening = Farm/WLAN+Firewall+IPS+IDS+Vuln+PenTest. And then you automate. One of my favorite mottos are "set it and forget it" (but set it right, automate the tasks and review schedulers and results thoroughly).
So yes.. it can be done, good and well, it can add value/reduce risk.