I am getting really tired of listening to whining without posited solutions. Not only has the security subset of the blogosphere dried up over the last few months, but the whining seems to be increasing. Compliance has been the whipping boy du jour for most of the year, but risk assessment also appears to be back up for a beating this month. I think the worst part of it all is that the criticisms I've read typically lack the proper background research, or they end up being about other issues rather than being an attack on risk assessment itself.
There are several points that I want to discuss around these topics. First, from a regulatory perspective, we're still closer to living in the land of common law than we are to modern governed society. There are limits to how effective that can be. Second, we need to make sure that we focus our energies on valuating the right things. There's a lot of churn about how certain words or concepts aren't estimable or have no intrinsic value, but it's a red herring argument. Lastly, and perhaps more importantly, we need to realize that the reason we are where we are today in infosec is because of a disconnect because actions and consequences. We now know that this must change.