|
|
|
|
|
|
by throwaway0255
2817 days ago
|
|
|
The computer security industry for SMBs is like 95% theater and 5% actual practice. Conducting that test produced something tangible for whoever made the purchasing decision: It clearly illustrated a need for the services rendered, did it in a way that offered job security to management by giving them license to assert the position over their subordinates, and established a metric by which to evaluate the security company's performance which can be easily, repeatably, and predictably improved over time. It also checked a lot of boxes that will be useful in court if they ever need to prove that they weren't negligent on privacy and security, which is a form of insurance that has real measurable value when it comes to legal claims. |
|
|
I'd say it's 40% paranoid arse-covering by IT department heads, 35% whatever middle management incorrectly assumes to be current best practices, 20% ego-stroking by the CIO, and 5% sensible context-driven decision-making by IT front-line staff.