In continuation of my Security by Self-Delusion and Transforming Negligence to Non-Complaince I have a few more thoughts.
The first is relating to attestation making senior managment feel good about their security profile.
Lets drop into another cheesy security analogy.
In many cases attestation is kind of like keeping a log of all of the times you drive the speed limit. It might make youself feel better but if you are managment you should be very wary. If a cop pulls me over for doing 80 in a 65 I doubt he will let me off because I show him a log of all the times I did 65. For that matter the judge won't be so impressed either.
Compliance can (and should) be used to drive improvement in security but managment and executives must not delude themselves into thinking they are secure because they have successfully passed an attestation stage.