Some people can hear a joke and not get the joke. I do not think that leader was really saying "slow down testing" in all seriousness. I think he was pointing out how the media is manipulating the data to prove whatever point they want gullible people to believe. There have even been studies that show that COVID-19 has been in our country longer than we knew it and more people have had it without serious health issues, than previously thought.
I know several former bosses (and they are former bosses for a reason) that feared audits and wanted to make sure we were "100% ready" for it. However, being the experienced person that I am with audits, having been through a bunch of them, I also know how the audit "game" works. If an auditor finds something they usually stop digging there and don't look for the harder stuff. If they fail to find any easy findings, they usually keep digging until they find something. I inherited a very poorly run IT organization from a security point of view. I had been working with the CIO and making progress, then that CIO retired and they hired an new one a few months before a "big" audit. So as the CISO I had a choice, fix the easy things which don't actually stop the hackers from getting in (like out of date policies) or leave that for the auditors to find while working on the things that were actually getting us breached, like successful phishing attacks, poor patching processes (for fear of blue screens), poor administration privileges practices, etc. I knew we had this big audit coming up so I worked on the more critical stuff while leaving the easy stuff to find (and to fix) for the auditors to discover. Yes the policies were out of date, but they were also poorly written, had huge gaps in them, were not being followed by staff, etc. What did the auditors find? Policies were out of date. That's where they stopped. Nothing about how inadequate they were, or how they weren't being followed, etc.. I also knew that the organization had a reputation for ignoring the previous CISO's advice but allocating all kinds of resources to close audit findings, so I leveraged the audit to my advantage. I "let" the auditors discover some things I wanted the agency to fix so that they would be exposed (and yes I had already informed the agency of the vulnerabilities and they just shrugged them off and took no action on them). I fixed some things while the auditors were onsite so that they would know that we were capable of fixing them, but would write them up anyways as a finding. I knew this would give me budget leverage with the new director of the agency as well. The new CIO didn't understand this and took it as an affront to his "image" that the auditors found things. He didn't understand how these government auditors worked. I knew they would stop if they found easy things and keep digging until they found something if they didn't find anything easy. The auditors even admitted to and proved my theory in the out briefing as there was one area, out of about 100 areas looked at, that scored 100% on the questions (about 6 levels deep) when the auditor stated that they had never had anyone get 100% on any item in any of their previous audits. The only reason they couldn't find anything is because it was a firewall and the person auditing it only knew to ask the 6 questions they had. If the auditor was actually a firewall person, they could have easily found some more items on it.
So which would you rather have after an audit: 300 findings, of which 200 are easy and 100 are medium to hard, or 150 medium to hard things. Oh yeah, you also have a short timeline to remediate a portion of these findings and show progress or else you lose access to the data this government agency is providing your agency. The medium and hard things will all take either budget (which you have to go ask government for), personnel (which you again have to go ask for), procurement actions (which can take between 3-9 months) or dedicated SME's which you currently do not have in your organization to reorganize your IT infrastructure. I chose the first one. We could knock out the 200 easy things in the 6 month timeframe and get the ball rolling on the 100 medium/hard things. Then at the 6 month checkup we have remediated 66% of our findings and have work in progress on the other 34% versus only to be able to report that we have gotten the ball rolling on 100% of the findings but have made no completions as they all would take 6-12 months to get started before actually being able to complete them.
So I view testing/auditing as exposing what needs to be exposed so that things can be understood and fixed. My problem with this whole covid-19 problem is that in my country, people can profit off of claiming a covid case, whether or not it actually was a covid case, just to make money off of it. It skews the true statistics which then can be manipulated by people who want to present a certain narrative to people gullible enough to fall for it without doing their own research into the situation. Or to people without an understanding of how statistics can be manipulated to say whatever you want, you just have to ask the right questions in a certain way.
