Rybolov from The Guerilla CISO, a local infosec NoVA-based blog, has put together a great blog post about NIST’s latest effort to modernize SP 800-30: Risk Management Guide for Information Systems. In his post he stresses how NIST should not change this document into a “catalog of controls gap analysis” process to favor compliance management over risk management.
Overall, Rybolov is right on point! We really need to stop stressing being compliant and start focusing on risk management. Compliance should be a by-product of risk management, not the other way around.