110 Security De-engineering
e upward pressure to adopt a pass-the-audit approach is the
more common scenario; it arises out of a lack of the technical security
skills necessary to combat risks, and sometimes also there is a pres-
sure on managers to meet KPI target deadlines (or they will not get
their bonus or promotion opportunities). Trying to be too analytical
in security is seen as merely slowing things down, and even if the
skills exist in the security team, analysis is seen as a bad thing when
there are KPI targets involved. KPI targets are often geared around
audit milestones because the audit is practically the only measurable
activity performed by the security team.
An example of the upward pressure situation is where it is known ...