Stop me if you’ve seen this scenario before: A compliance policy is developed behind closed doors by federal security advisors. Once published, it’s sent to IT managers, who take one look and think, “Well, this won’t really work.”
They begin the arduous process of trying to provide feedback, which amounts to submitting a request into a suggestion box, and waiting for an answer that may or may not come. The public comment process is often opaque; you don’t know if or why your comments were rejected and it’s difficult to appeal your case.
Security compliance doesn’t have to stifle innovation — it should baked into the agile development process.