I know I've worked with quite a few compliance/checkbox programs in which the people running things don't even seem to see their work as security-oriented anymore so much as... I don't know, generic criteria fulfillment. It made me trust code or systems that claim to be audited way less than I did before. The people I've seen auditing things are not critical, curious, serious people. They're like most other people, waiting for the day to end so they can do something else. I hate to say it but I can see agents being more effective in many cases.

We're kind of hosed, aren't we. The more I think about how complex and challenging security is getting, and will continue to get, the more I want to pull an Admiral Adama and pull everything offline. I need an air gap.