[cratermoon]

There are a lot of Voodoo Security Practices out there. Being able to check off all the boxes necessary for regulatory and legal compliance does not mean that an organization has good security. Many of those requirements are as useless as taking off your shoes before you go through security at the airport.

The important thing to know about the consultants pitching assessment and remediation packages is that their assessments will always end up finding "problems" that just so happen to be exactly what their $$$$ remediation product is built to address. The various assessments won't even agree on what might be wrong.

My suggestion, then, is to approach your leadership with examples of how the assessments are really sales pitches in disguise, and have no meaningful relationship to good security practices. Show them where the consultants are pitching their Voodoo Security and how it deviates from and takes time and money away from implementing good security.