Oliver Ruth  Nov 14, 2022

This might just be me, but something that I notice more and more about InfoSec is that far too many organizations seem to care more about compliance than they do security.

Too many firms see security as a money pit (thank you to the Onion for my favorite analogy) rather than a barrier to larger financial loss.

It's like climate change; we can either spend large amounts on preventing the damage of hurricanes, or we can spend even more repairing the damage done. The second option is cheapest, so that's what companies will do. We need both compliance *and* security, and we as an industry need to keep emphasizing the importance of security.

Show threadIchinin   ✅🎯🙄Nov 14, 2022

@oruth Lots of us has noticed that before. If there is a compliance regime in an organisation that sticks its nose into everything and meddles with things they shouldn't, i suggest leaving.

I see Compliance as a legal thing, it has nothing to do with security, it does not increase the security posture much beyond basic security and shifts focus away from real threats.

The attached cartoon (by @joevest) describes Compliance very well, and i've seen this IRL three times when a security program got started by a desperate and minimum-effort organisation.

Show threadJoe Vest
@Ichinin @oruth I see this as security theatre. It could be on purpose or done out of ignorance. Leadership is given advice from so many people, and they know that a company is judged by its state of compliance. It’s safe to follow compliance. The problem comes from the quality of advice. I tend to ask the question, will a change impact the threat’s ability to succeed? The answer should come from a team who actually knows what it takes for a threat to succeed. In the end, it is the orgs decision how to play in their playground. It’s not fun, but can’t let that stress you out
Nov 14, 2022 at 12:36pmWeb