Pay should reward doing something well vs merely doing something. Of course, this would generally mean you need to pay more than the competitor which will happily pay for merely doing something. So yes it is about pay.
Pay should reward doing something well vs merely doing something. Of course, this would generally mean you need to pay more than the competitor which will happily pay for merely doing something. So yes it is about pay.
Also, Indian companies are competing with American and Israeli founded or funded companies and startups for the same talent.
If you are competent, instead of earning $15k TC working for an automotive company, you could demand $40k-70k in TC from an MNC or a well funded startup (assuming you have the skills to back it up) - and those are the numbers my portfolio companies use to target hiring in India, as well as what I used previously before I became a VC.
Western companies have the exact same problem though; I've dealt with plenty of incompetent people there too because the organization does not reward technical excellence and quality, so it is completely pragmatic for employees to focus their time on the things that are rewarded (engaging in politics, etc) instead.
During the startup/ZIRP era there might have been people doing the "right" thing because they had skin in the game thanks to stock options or they were paid just so fucking much that they didn't care about putting in the extra work. But as total comps go downward (coupled with inflation) the output's quality tends to regress to the minimum acceptable.
> I've dealt with plenty of incompetent people there too because the organization does not reward technical excellence and quality
Organizational dysfunction transcends all boundaries, but to a certain extent the kind of issues that lead to the kind of incident such as the one above happen because the affected product (e-Dukaan) is viewed as a cost center by Tata Motors.
Sadly, in most cases, a lot of security will always be viewed as a cost center and never prioritized unless forced to due to insurance, audit, or regulatory pressure.
That said, a thesis I've had for a couple years now is that if we can successfully shift-left by turning security into a DevTool problem as well as an organizational problem, we can both reduce remediation time as well as build stickiness for security products. The AppSec category has definetly adopted this kind of mindset.