[cuca_de_chumbo]

This is so true. I worked for a small-time compliance software vendor where the domain expert was an incoherent mess (with all the buzzwords thrown in), the CEO couldn't discuss the software intelligibly, and the VP Engineering presented a demo video loop at a trade show booth showing theirself entering the company AWS credentials in clearly legible form.

The place had so many dysfunctions I'd not know how to start. I work for a much more professional outfit now with true appreciation for security and competence.

edit: there's a real gap in this non-glamorous compliance domain. if you address it and need to execute SCAP (OVAL, XCCDF) content, look to a very competent scanner vendor, jOVAL. The real challenges are in organizing and presenting consistent info across many compliance standards, OSs, cloud vendors, etc. ... and to scan entities that aren't OSs per se, and to analyze cross-domain conditions.