[unethical_ban]

Worked at a bank for years. So many things we wanted to do to really get our firewall policies modern and more actionable for the SOC. Layer 7 enforcement, user-based policies, deduplication of rules, more aggressive cleanup.

Things needing to be done a certain way for the auditors was a major hamper in our processes.

I'm now consulting and I have seen people do changes to their policies in such strange ways because they have to jump through ridiculous hoops for their industry regulator.

[tptacek]

Yes. I've come to believe that much of the skill involved in doing security compliance work is in managing (strangling) down the scope of the framework, and almost none of it is in using the framework to inform and improve real security practices. This is what I mean when I keep saying here that these frameworks are not a "good first step". If you don't actually have to engage with them, because your customers aren't demanding it, you should actively avoid them and use that precious time to build a real security practice.