[genmud]

You know these are the floor of what you should do, not the ceiling.

If a big company can’t explain why they aren’t doing the bare minimum defined in a framework, that’s a red flag.

There are open source solutions for the majority of controls in these frameworks. It isn’t 1995.

[tptacek]

My argument is that they're lower than the floor, which makes using them to try to detect the floor dangerous.

[genmud]

Having worked with a number of different companies, and these frameworks are the floor of best practices, these frameworks are far above the subterranean caverns many companies operate their security postures from.

[tptacek]

You can do worse than The Frameworks! But it doesn't follow logically that The Frameworks are a good starting place --- they can be (really: are) worse than the outcome from simply ignoring The Frameworks altogether.

[genmud]

Can you provide some examples?