It seems that organizations where security is a compliance-driven process are barely concerned or not concerned at all about security breaches, only regulators.
Some of those processes are a fucking joke. The HIPAA technical safeguards include nothing particularly interesting; the hard part is the paperwork and legal ass-covering. Some PCI-DSS "auditors" are nothing more than salespeople who bought Nessus or similar and charge $10k/pop to run it, slap a logo on its report, and email it to you. Security regulations that businesses at large actually seem to care about have nothing at all to do with secure software engineering, just checking boxes like "have a firewall" and "have a password policy" and "have a network security policy" as if producing an endless trail of Word documents will make you less vulnerable.
superuser2: you're telling me that having a process for firewall changes or rotating your keys is a joke? What other process is a fucking joke? System Hardening? Log review? Source code analysis? Updating your network diagrams? Physical access monitoring? These are all processes (and more) that compliance says you should do.
You bitch about word documents when I bet you've never even gone through a thorough compliance process.
Some of those processes are a fucking joke. The HIPAA technical safeguards include nothing particularly interesting; the hard part is the paperwork and legal ass-covering. Some PCI-DSS "auditors" are nothing more than salespeople who bought Nessus or similar and charge $10k/pop to run it, slap a logo on its report, and email it to you. Security regulations that businesses at large actually seem to care about have nothing at all to do with secure software engineering, just checking boxes like "have a firewall" and "have a password policy" and "have a network security policy" as if producing an endless trail of Word documents will make you less vulnerable.