Hacker News new | past | comments | ask | show | jobs | submit login

I worked at a government contractor who was rolling out NIST compliance. Everyone, from IT to engineers, hated it. You can rest assured that as soon as someone isn't looking, they're going to violate it.

I have never come across a compliance policy that people didn't hate.

Compliance, almost by definition, needs to make people's job harder, or create extra work. Because people are lazy, and they tend to go for the path of least resistance, and those are not good things in the context of safety and security.

Compliance is a tool. It's used to enable security iff the C-suite want to use it that way; otherwise, it's just another meaningless metric.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact