[arianvanp]

If you care about this stuff you need to in-house auditing and do your own audits with people who care. Then get certified by an external auditor for the paper.

You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.

But the important part is you, as a company, should inherently care.

If you rely on an auditor feedback loop to get compliant you've already lost.

[disgruntledphd2]

This function exists in every publicly traded public company, and is called internal audit.

It has the potential to be incredibly impactful, but often devolves into box ticking (like many compliance functions).

And it's really hard to find technical people to do the work, as it's generally perceived as a cost centre so tends not to get budget.

[ownagefool]

Nobody really tries to get technical people to do the work.

Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.

There's very little ability to fix a large public company when HR is involved

[pxc]

Maybe it should be treated like on-call duty and have the load spread between existing engineers on some kind of schedule, maybe with some extra comp as incentive because it's boring and will take more effort/time in the "easy case" compared to pager duty.

[disgruntledphd2]

I think 12-24 month rotations would work really well, but given how the profession is currently setup, that would be difficult to do.

[disgruntledphd2]

Speaking as a technical (data) person currently working in internal audit for a not quite public company, it's not entirely uncommon.

I do agree that the pay isn't great, but it's the fact that it's considered a cost centre that's been the issue for me.

[jacquesm]

Everything except for sales tends to be seen as a cost centre. It's ridiculous.

[Koffiepoeder]

To be honest, I would even go further: if you think certification equals security, you are even more lost.

So many controls are dubious, sometimes even actively harmful for some set-ups/situations.

And even moreso, it's also perfectly feasible to pass the gates with a burning pile of trash.

[jacquesm]

And they do not track the industry at all, at best they'll help you win the war of five years ago.

[Koffiepoeder]

Imagine my face when I had to take periodic backups of stateless, immutable read-only filesystem, non-root containers for "compliance".

[subscribed]

Maybe that's just a goid moment to review your _policy_. About a half of our compute is exactly that, and we just don't have to do this sort of backups, that'd be silly.

We don't deal with the military though, only fintech (prime brokers and major banks, funds) some government. Plenty of certifications (have someone all site all year round),!no silliness.

[jacquesm]

That's hilarious :)

Ook goeiemorgen...

[PunchyHamster]

But companies don't care. They don't want compliance for feel goods, they want compliance because their partners require it. They do the minimum amount required to check the box

[Aurornis]

Caring about security and comparing about some of the arbitrary hoops you have to jump through for some of these compliance regimes don’t always overlap as much as you’d expect.

I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.