> an overwhelming focus on compliance rather than actual good security practices
Yes, this is sad and mostly a waste of time.
However (and perhaps it is what you meant) this is a direct reaction to the lack of that cultural shift towards caring about security.
So security teams are mostly left with two choices. One, argue for building secure products because security matters (and be laughed out of the room). Or two, argue for compliance with what the auditors require and that at least move the needle a tiny bit toward security (sometimes).
Yes, this is sad and mostly a waste of time.
However (and perhaps it is what you meant) this is a direct reaction to the lack of that cultural shift towards caring about security.
So security teams are mostly left with two choices. One, argue for building secure products because security matters (and be laughed out of the room). Or two, argue for compliance with what the auditors require and that at least move the needle a tiny bit toward security (sometimes).