The problem with compliance is that it is pseudoscientific. There is no independent oversight: all regulation and tools are promoted by compliance companies selling those tools. There is no penalty for punishing innocent. There is no reasonable cost. More is always better. There is no court to complain or a channel to opt out.
It's a bit like antivirus on PCs: it is sold to you as a scareware but in practice is snakeoil not really effective against any modern virus or trojan. You stil bear the cost of your PC slowing down 25%.
Here is a good Forbes post by David Birch on the topic:
Anecdotally, I know of at least one large FI that tells auditors it's doing x, y, and z for security, when in reality their security practices are abysmal. They spend $1MM a year on a vendor product that in theory does x, y, z (though quite badly), install it on a server, and then never think about it again.
I've had important projects canceled because executives go 'oh we already have $tool this project is a waste of time'. I demonstrate that $tool hasn't been updated in a decade, has 0 users, and is completely ineffective, and how the project will address these issues. They respond 'oh we already have $tool this project is a waste of time'.
You are not buying a solution, you are buying compliance. It does not matter if problem is either hidden or removed because the outcome for the executive success is the same. Hiding usually costs less.
It's a bit like antivirus on PCs: it is sold to you as a scareware but in practice is snakeoil not really effective against any modern virus or trojan. You stil bear the cost of your PC slowing down 25%.
Here is a good Forbes post by David Birch on the topic:
https://www.forbes.com/sites/davidbirch/2021/05/03/im-anti-t...