Stop. We are lying to ourselves. I’m saying this bluntly because that's how it is. We gather evidence at a 10% sample rate from our environment and claim it represents everything we have. Does that 10% provide full assurance on the other 90%? Of course not. You know it, the auditor knows it. What if we don’t sample but instead, audit the entire population, 100% every time?
Today, compliance means we knowingly turn a blind eye to the majority of our environment, as long as the sample set is clean enough. I’m calling out to my fellow practitioners in security and compliance — it’s time for a change. How many additional breaches do we need to see to admit compliance, the way it is done today, isn’t working? Let’s automate full population analysis and understand the complete security context. It may be hard at first, but it’s totally worth it, I promise. Let me show you how we achieved this and more.