So, I've been meaning to write a longer post on this, but time crunch barged in, so I will just drop a formula here.
First, checkbox compliance is OK: compliance is inherently "checkboxy" - as in 'here is a list - now bring your environment in agreement with it'
Second, in some sad places, compliance = security (despite all the discussions to the contrary)
Third, a result is checkbox security which is an ugly, sad, wasteful, multi-headed critter which shows up in many places at once (e.g. 'see here, it said 'IDS' - Ooook, ours is unpacked, racked and connected - CHECK!' or even 'SOX? We did SOX by doing all this documentation here. So now we are safe, right?' or 'Pay for my PCI audit and I will make you [look] secure')
You know what? I'd take a FUD-driven security (also here) over this bugger any time of the day ...
UPDATE: a few insightful comments on this blog were inspired by my piece ("Compliance gives you a 'C' - now, how do you get to an 'A'?"). Check them out!
No comments:
Post a Comment