It's even more common to hire one of the big consulting firms to do most of this. Every layoff at large companies I've been involved with was done via a Bain, BCG, etc...

> Say we're shutting down the self-driving car division, folding up recruiting, or choosing to accept the risk that comes with getting rid of the whole security team.

Did you intend this to be a spit take? The sentence read about the same as “Say you’re taking a stroll around town, visit a few cafés, or decide to end the day by jumping into an active volcano.”

I'm guessing a reference to Patreon in September this year: https://techcrunch.com/2022/09/09/patreon-security-layoffs/

Wow, thanks for the link, I did not know. That's... bad.

bit like seeing someone jump into an active volcano, really

No, I didn’t mean it that way or in reference to a specific company - although I can see how it read that way! Your comment made me laugh.

The point was more that layoffs can take out big slugs of staff without considering the individual, in a few different ways: initiatives we can just cancel completely (self driving cars); people we will likely need later but less in the shorter term (recruiting); or places where we consciously take on added risk (losing security).

I do think that for the company that sacked their security team, the executives may very well have had a full understanding of the risks it created — but couldn’t easily say so publicly (“we chose to 10x our risk of a security incident, so we keep 1 more product initiative staffed which might save us”). Just speculation. Not a situation I think many of us would be comfortable in.

frankly, as someone who is absolutely not a security expert but who pays attention to security concerns, most security efforts provide very little business benefit.

What was it Steve Yegge said in that legendary platforms rant?

"But I'll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network."

Even if you get bit by a huge data leak, it's just not going to matter that much (from a business perspective) if you already managed to become a big, significant part of the world (like PSN or Equifax - they're still around today, largely unimpacted by their screwups).

If you don't manage to become a big, significant part of the world, security successes or failures just won't matter that much. You don't have a lot of value, because you don't have a huge treasure trove of data, so you're not a primary target for most attackers. You'll sit there being irrelevant, and if there is a breach someday, probably neither you nor any of your handful of customers will actually notice."

Am I content that the world functions this way? No.

But I think it's important to recognize that it does.

> , typically to avoid leaks or creating hysteria ahead of decisions being finalized

When a layoff is known to be coming, the best and most employable people will often head for the doors quickly... leaving the company with a greater concentration of less desirable employees.

If it's by surprise then you'll lose fewer of the people you wanted to keep.

I don't that's really generally true. If it seems like the company is a "sinking ship", then yes, people who can see the writing on the wall and have food opportunities elsewhere will often leave quickly.

But in this case, nobody is worried about Stripe's long term trajectory or viability. I doubt the best and most employable people are leaving Stripe.

Imagine you had a recruiter call you for this next gig at great company which has +20% salary bump. Once you hear something bad is coming in your current company and no idea if you will be caught in it or not, its much easier step to just go and accept the next offer that you would otherwise pass.

That assumes the "best and most employable people" are confident in their own status as such.