Company I work with (critical infrastructure) does cyber heavily through the lens of compliance…. meaning compliance with federal regs dictate how we do cyber in a lot of cases. Let me say I totally understand that you have to comply. But doing cyber this way, I feel like we are giving the bad guys a blueprint on exactly what our security controls are and where our weak spots are. Am I crazy or is this more common than I think?