|
> a lot of checkboxes Yeah, I'm self taught on this stuff, but I've started to think that's not all bad. I literally downloaded every one of the NIST 800 series, the FIPS series, the CNSSIs, all of it, and went through everything to figure out what connected with what. Most of it is pretty damn obvious. You should secure your internet-facing servers, sanitize inputs, never hold actual passwords in a database, use some form of 2FA, etc. But there are a lot of dudes with degrees in "cyber-something" or "IT something" who lord over me with their government-bestowed positional authority (I'm just the clinical informatics physician with an undergrad in physics from a top school and teach machines to diagnose disease, trying to deploy things to actually save lives, so what the fuck could I possibly know about the dark arts of cybersecurity? "Oh, god, here he is talking to us about numbers again, borrrringgggg. I bet he's going to ask us when the GPUs are going to be on contract. Again. Like, bro, we'll get to it. Later.") Come to find out a lot of these fuckwads speed-click through their ATO checklists. Shockingly, the timestamps on the checkboxes are all on the Thursday afternoon before the Tuesday "surprise" inspection that happens the same week of the year every time, run by the guy who they used to work for at the last gig. And then the guys actually trying to get shit done get drowned by the 50 fucking drones who all show up to the weekly meetings and pipe up with their 30 seconds worth of input. And the guy trying to actually deploy product spends the rest of the week establishing that the drone didn't actually know what the fuck was going on in the meeting and just blurted something out at the appropriate moment, relying on the last 30 seconds of banter to guide his statements. Not that I'm bitter or anything... |