One PrOfeSSiOnal accreDitatiOn PrOgram 281
the name suggests, are supposed to analyze things, not parrot- fashion
deliver security services with checklists and “best practices.”
How about the “audit-driven security strategy” as I covered in
Chapter 4? Again, with the population of suitable skills in analysis and
management, organizations will move away from this approach slowly
over a few years. ere will still be audit and regulatory compliance
requirements for a long time to come, but it will no longer be the case
that the security strategy is geared up to just about creep over the line
in barely passing the audit. However, once regulators realize how bad
their audit quality has been all these years, the audits may well start
getting ...