It’s weird to say this but a significant part of the value we provide clients
is filling out Dumb Security Questionnaires (hereafter DSQs, since the only
thing more irritating than a questionnaire is spelling “questionnaire”).
Daniel Meiessler complains
about DSQs, arguing that self-assessment is an intrinsically flawed concept.
Meh. I have bigger problems with them.
First, most DSQs are terrible. We get on calls with prospective clients, tell
them “these DSQs were all first written in the early 1990s and lovingly handed
down from generation to generation of midwestern IT secops staff. Oh, how
clients laugh and laugh. But, not joking. That’s really how those DSQs got
written.