Perhaps the real problem (which would be worth its own thread but also relates here) is that modern IT business is not about
function or
achievement but only about
compliance.
Here is an example of what i mean: i am part of a "security OS hardening" work group and we define the (securitywise) measures to be taken on a newly installed system to make it "secure". So far, so OK. We are presented a suggested list of measures to be taken which someone compiled beforehand. Fine with me too.
Now i inspect this list and find the item:
* remove telnet client
and i ask how this is security-relevant. Yes, i can understand the server part and i can understand switching it off, but the
client poses no security risk to the system at all. It might make sense to remove it anyways, because we want the least possible number of packages installed - but this is IMHO not a
security-problem. No, i am told, perhaps i am right and it isn't, but because some list from the
BSI ("Bundesamt für Sicherheit in der Informationstechnik", german authority for security in the IT) says so we need to remove it.
Now, i ask again how the existence of a client program poses a threat and am told: "maybe it doesn't but we need to be compliant". WTF?? If one wants to be compliant, then by all means, say so! Don't call it "security", because it isn't!
Certifications come, IMHO, from a similar way of thinking: don't do something to achieve a certain defined goal and measure progress/achievement by analysis of how much of the goal/achievement has been reached - do something because it is prescribed because this way you are "compliant" and if you in fact achieve your goal doesn't matter at all. If you want to go from "A" to "B" it doesn't matter if you actually reach "B" as long as you can prove to have bought all the prescribed tickets because some means of transportation is "compliant" and all others are not.
In terms of certifications: it doesn't matter if you
can actually do something, it just matters that you are tested to be compliant (note:
compliant, not
competent) by a compliant procedure created by compliant experts.
Welcome to the new world where we sell horse manure in cones and call it ice cream - that is OK as long as we do our utmost to make sure it stinks the same every day.
Quote:
"Wahrlich, wenn ich mein Verdruß ned versaufen tät', ich müßt mich aus Verzweiflung schier der Trunksucht ergeben." (Nestroy, Der böse Geist Lumpazivagabundus)
Really, if i wouldn't drink away my sorrow i'd have to become a drunkard out of sheer desperation.
bakunin