First, thanks to everyone who took the unscientific, perhaps poorly worded survey. I appreciate you taking time to help out. I especially appreciate the feedback from the person who took the time to write in:
“Learn the proper definition of “Control Systems” as in, Distributed Control Systems or Industrial Control systems. These are the places that need real security, not some bullshit enterprise network.”
You, sir or madam, are chock full of rock and roll. Thanks for cheering me up.
Next, the results were:
Daily = 6
a few times a month = 2
a few times a quarter = 1
less than a few times a quarter = 10
never = 43
and the chart looks something like this:
UPDATE: Jeff Lowder asked me to clarify this a bit. I’ll start by re-iterating that this was a not really a proper survey, but akin to asking a handful of friends (the survey existence was announced here, on twitter, to a couple of security – centric mailing lists). As such, don’t get all bent out of shape about it.
I was interested in the question – “how often does GRC analysis impact actual OpSec?” and decided that a frequency of interaction would be a pretty good bellwether. The question (and results with proper caveats) were part of the presentation Allison Miller and I gave at Black Hat. More on that presentation in a while, btw.