Maybe I should rephrase. I don't mean cargo culting like that. My grip is with (most) security people whose only handling of vulnerabilities is to spread fear mongering and stupid action ASAP, without any explanation of the issue or solution. Long story short, cyber security is a circus.
Turning off TLS 1.0 in 2015 would have cut at least 30% of your user base (internet explorer) and was simply not an option for anybody. If there was an explanation of what is the issue, the impact and how to mitigate, this could have been evaluated and implemented (or not), but it's never been given.
We worked together. You should recognize me really ;)
Regulations are largely fine. You should known from doing the audits. They are usually worded to say that something should follow the generally accepted standards or good practices, without specifying what they are. Either way, it's always fairly easy to delay or argue that whatever you're doing is the right thing.
Thank you for confirming, I was quite certain it was you.
And I do agree with you, within reason: financial industry tech regulation is largely fine. ("Sane") The regulations tend to state the intent of a rule, and may even specify something that clearly is not fine.
More recently I have come across different sets of rules. While it is obvious that these particular regulations have been written with the best intentions in mind, they end up making things worse. Instead of specifying what the goal and the reason for any rule is, they state only The One True Way. Reason has to be inferred, because it is unstated.
Doesn't matter if the truth in The Way may have been induced by bad 'shrooms. Once written down, it's gospel.
Turning off TLS 1.0 in 2015 would have cut at least 30% of your user base (internet explorer) and was simply not an option for anybody. If there was an explanation of what is the issue, the impact and how to mitigate, this could have been evaluated and implemented (or not), but it's never been given.
We worked together. You should recognize me really ;)
Regulations are largely fine. You should known from doing the audits. They are usually worded to say that something should follow the generally accepted standards or good practices, without specifying what they are. Either way, it's always fairly easy to delay or argue that whatever you're doing is the right thing.