[busterarm]

I largely agree with you, but the problem ends up being when you have some braindead person in your GRC role who persistently fails to grok the scale of the operation...or doggedly insist that you prove negatives.

Example: Some idiot person we have in IT insists that a control for proving lack of user admin access should be to screenshot the userlist w/ group permissions of every single server in our operation. Idiot IT person doesn't realize that we're at n*10^5 servers and still fails to understand how braindead his request is when you explain it to him.

A lot of people now persue the IT security industry itself without having any shred of experience managing computer systems, then confidently wade out into industry claiming to be experts.

[dsfyu404ed]

Which kind of begs the question why pro-compliance people don't work to weed out what are effectively the white collar equivalent of clipboard warriors within their ranks since they reflect so poorly on and cause headache for the people who actually know anything.

[durnygbur]

"I used to be a lawyer but now work in IT", "I'm reporting and escalating your non cooperativeness right now"

[busterarm]

I've seen a lot of exodus professions into tech but thankfully after 20 years, I haven't seen many lawyers yet. Very few have the personality for it.

Give me all of the hungry musicians that you can find though, they're great systems-thinkers.

[sokoloff]

The “proof via a series of tedious screenshots” method of audit is absolutely infuriating. Please bring on the 10x auditors…

[busterarm]

When you don't know what you're doing, dazzle them with bullshit.

Best part of the story above is that in our system there are no human users that can access a live system. And proof of that is insufficient because the IT person isn't familiar with the practice.

[lasereyes136]

> When you don't know what you're doing, dazzle them with bullshit.

100% because most people don't know what makes good security so it is easy to get them to mistake volume with quality.

[mianos]

Then they printed those screenshots out to be bound into a thick report to be presented the board. (Not where I am but in a previous employer. Still makes me laugh).