alt Hacker NewsMajor problem of entire compliance/auditing industry is not enough asking in companies "what are the actual risks we are dealing with", "what's the goal for given control", "do we have alternative control ensuring that".
Compounded by cheap shitty auditors that just mark down checkboxes on a worksheet
Agree, see the Delve fiasco. But that’s not their job. Their job is literally checkbox. However some audits are so poorly done, or have auditors with zero real world engineering or cyber experience, they’re actively harmful to a product or customer base.
Example: insane, complex password policies and password rotation policies. These are still pushed by auditors rather than trying to build a reasonable exception case with the client.