|
>...that security compliance has become a make-work field for the unskilled, whose role is to be both an easy mark and a scapegoat for reckless corporate behaviour. I like the cut of your gib, sir. >It's %90 an exposition vehicle for displaying how esoterically knowledgeable the practitioners are about hacker trivia and jargon, and from a business perspective, it's just kids playing in the sandbox that produce the compliance artifacts you want to get your project approved. Geeks get to geek, and project managers get their amber status risk, and when Equifax/OPM/LifeLabs happens, everyone says it wasn't foreseeable because they were "compliant." The frameworks externalize risk into models that are divorced from reality, which hides it, and that's why institutions buy into them. I'd say they're the collateralized debt obligations of engineering. I think these risk models are part of a mutually-agreed kabuki illusion. It's hard work to assume prudent risk, to identify hazards specific to an organization's objectives, devise appropriate controls, etc. These frameworks offer a solution: if "industry groups" agree to hold them as valid, then it's like you say -- project managers get their amber risk status, and the large scale breaches are simply "Who could've known?" events, where lessons learned are drafted, reports are produced, commitments are made, and life moves on.
Building up the compliance industry - and I'd add no small part of the cybersecurity industry, tier 1 SOC personnel, etc - seems to be me to be creating a class of worker ripe for having the floor yanked out from under them in a recession. It's cost-center work, but it's marketed as 'cutting edge skills for the burgeoning cybersecurity industry'. What's the revenue generated, or costs cut, by monitoring those dashboards with human eyeballs? |