Comment by orev
3 years ago
As someone on the receiving end of dozens of these audits per year, it’s extremely obvious that both sides are just checking off their boxes and don’t have any actual understanding of anything. One side has to perform that audit, and the other side has to comply with it. Everything is outsourced to the lowest level people possible. It’s essentially a zombie industry where both sides just mindlessly generate documentation so the business people can check their own boxes before closing a deal.
Gives higher ups peace of mind. Same reason they love to move everything to the cloud and happily ignore any privacy concerns.
If you run something in-house and there is a security breach, it gets really uncomfortable, as you need to ask questions, assign blame, draw consequences. If $BIG_SAAS_PROVIDER gets their entire database leaked then well, it's not your fault, also if even $BIGCORP gets hacked it must have been really professional hackers and it can hardly be you made a bad call here. Nobody ever got fired for buying IBM.
But at the same time it kinda works to keep everyone in line. Look at PCI for example. You might be shit on the upkeep front, but ever X years some rando with a checklist will whip you into line while not really knowing anything at the same time..