|
|
|
|
|
|
by tptacek
1070 days ago
|
|
|
Yes. I've come to believe that much of the skill involved in doing security compliance work is in managing (strangling) down the scope of the framework, and almost none of it is in using the framework to inform and improve real security practices. This is what I mean when I keep saying here that these frameworks are not a "good first step". If you don't actually have to engage with them, because your customers aren't demanding it, you should actively avoid them and use that precious time to build a real security practice. |
|
|