"Are there any security firms that actually know what they're doing?"
I think the takeaway is that knowing what you're doing is less then half the battle here.
Just as most people know how to lose weight (diet and exercise), actually making those lifestyle changes can be very difficult. Similarly businesses, even security companies, let their security lapse because it's hard to take the time, effort and focus away from products, sales, cash to set up proper standards and controls.
But aren't security companies supposed to be in the business of reducing the time, effort and focus away from products, sales and cash that's required to set up proper standards and controls?
Shouldn't they be able to prove their own concepts internally?
The shoemaker's children have no shoes. This happens all the time. How many programmers do you know that spend all day automating the processes of others and yet still manually copy files to the production server instead of automating their own processes?
I guess to some extent. I think the reality is somewhat murkier. It's possible a lot of these companies startup with niche skills and lack broad expertise meaning they're going to have holes.
If you've got a handful of employees and your expertise is DDOS protection then are you going to use your next hire on a DDOS specialist to work on your DDOS protection product or bring in someone to make your website safer?
I think the takeaway is that knowing what you're doing is less then half the battle here.
Just as most people know how to lose weight (diet and exercise), actually making those lifestyle changes can be very difficult. Similarly businesses, even security companies, let their security lapse because it's hard to take the time, effort and focus away from products, sales, cash to set up proper standards and controls.