[bitexploder]

Because, checked boxes don’t mean much. CIS level 2 = a lot of checked boxes. Using cyber security frameworks is great, but some of the most compliant and “advanced” organizations have the worst legacy cruft you can imagine. We work with orgs all the time and organizations that use these frameworks with expert guidance can easily secure their most critical assets while only implementing the right parts of a framework. And the best frameworks have risk based targeting for maturity levels (NIST Cybersecurity) of various activities. These frameworks can end up being a bit of security theatre if you are just implementing it for the sake of “having security”. Guess I am just jaded after breaking software and networks for over a decade. Some of the most secure organizations have very adaptive security practices that focus on application security. Some of the worst are ISO, CIS, STIG policy template hardened blah blah blah. Just don’t put these frameworks and policies on a pedastal. The real security work happens in the margins.