| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Apr 2010 16:43:14 -0400
From: Valdis.Kletnieks@...edu
To: Mike Hale <eyeronic.design@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
security-basics@...urityfocus.com
Subject: Re: Compliance Is Wasted Money, Study Finds
On Wed, 21 Apr 2010 14:44:35 PDT, Mike Hale said:
> According to the paper, roughly 40% is spend on directly securing
> secrets, and another 40% is spent on compliance of some type. They
> further suggest that half of this compliance spending is spent on
> internal compliance, and half on regulatory/external compliance.
> I find the findings completely flawed. Am I missing something?
My reading of it is "we spent 40% actually securing it, and an equal amount
on total bullshit paperwork and checkbox-checking to "prove" we secured it,
and the paperwork and checkboxes didn't do anything to directly secure the
data". Consider - if you spend a week talking to the auditors, that's a
week's salary spent on talking to auditors that didn't actually do squat for
the security.
Similar to if you had to get a yearly safety inspection on your car, and
you had to pay $20 to the mechanic to do the inspection (which will hopefully
actually verify your car meets the legal standards if your mechanic is honest),
but then had to spend another $20 to file the paperwork with the local
Dept of Motor Vehicles to make it official.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists