undefined | Better HN

0 points_wldu4y ago0 comments

This is the continued dilution of security with audit/compliance. It's a mindless, check the box mentality. They don't care about real-world security, they offer insurance to cover the losses. But many insurers are no longer paying due to the volume of incidents and the lack of sound security.

The auditors are typically 10 to 15 years behind technical security expertise.

0 comments

Wowfunhappy4y ago

> This is the continued dilution of security with audit/compliance. It's a mindless, check the box mentality.

If I can play devil's advocate for a moment—isn't this just how insurance necessarily works? Your car insurance company isn't going to interview your teenage son; they don't care that he's a particularly mindful individual, who never speeds because he remembers the time a close friend died in a car crash. "The policy says 17-year-olds are high risk, pay us a zillion bucks a month."

Of course, guidelines that have literally zero value still have zero value. But they have to come up with something concrete...

Vrondi4y ago

Bad example. They aren't going to interview your son, but _most_ will take his high GPA and certificate of completion of Driver's Education class, and give you a discount for it, which is the next best thing without spending the time to interview him.

Wowfunhappy4y ago

But isn't that driver's education class certificate basically a “checkbox”? I don’t think it’s so different from those IT certifications.

fuzzer374y ago

I think the difference is that taking a drivers education class, and (in my experience, at least) is that there is actual hands on driving experience. I think an IT certificate or security audit is a lot more abstract.

The only way to check the "Has taken a driving class and has at least 20 hours behind the wheel" is to do just that. How many different ways could you check the "Secure password requirements are enforced by users" box? How many ways could you check the "physical security to encrypted systems" box?

1 more reply

pmontra4y ago

> The auditors are typically 10 to 15 years behind technical security expertise.

Probably not, but they are there to be paid by their customers. Does the customer have to mark a checkbox on a regulatory form? Give the customer some answer which is not blatantly false or useless, get the money, come back next year.

cjonas4y ago

This is spot on... I wish I could share my recent experience

j / k navigate · click thread line to collapse

0 comments

Wowfunhappy4y ago

> This is the continued dilution of security with audit/compliance. It's a mindless, check the box mentality.

Of course, guidelines that have literally zero value still have zero value. But they have to come up with something concrete...

Vrondi4y ago

Wowfunhappy4y ago

But isn't that driver's education class certificate basically a “checkbox”? I don’t think it’s so different from those IT certifications.

fuzzer374y ago

1 more reply

pmontra4y ago

> The auditors are typically 10 to 15 years behind technical security expertise.

cjonas4y ago

This is spot on... I wish I could share my recent experience

j / k navigate · click thread line to collapse