[josephcsible]

If security is important to your org, then they should fire for incompetence anyone who says "let's force everyone to switch to Windows for security reasons".

Also, consider that all of those stupid "security" rules generally delay the rollout of updates, which often contain fixes for security vulnerabilities. I wish that companies would say something like "if there's ever a known vulnerability in something in production that a "security" rule doesn't let you immediately deploy the patch for, then said rule is immediately rescinded and may never be reinstated."

[cratermoon]

There are a lot of Voodoo Security Practices out there. Being able to check off all the boxes necessary for regulatory and legal compliance does not mean that an organization has good security. Many of those requirements are as useless as taking off your shoes before you go through security at the airport.

The important thing to know about the consultants pitching assessment and remediation packages is that their assessments will always end up finding "problems" that just so happen to be exactly what their $$$$ remediation product is built to address. The various assessments won't even agree on what might be wrong.

My suggestion, then, is to approach your leadership with examples of how the assessments are really sales pitches in disguise, and have no meaningful relationship to good security practices. Show them where the consultants are pitching their Voodoo Security and how it deviates from and takes time and money away from implementing good security.