Pseudo Nym
#infosec professionals. Do you ever feel like we've gone 2 or 3 levels too meta in our field?
What I mean is, actually securing a business with 2FA, password managers, and code reviews for #OWASP top 10 issues all seem practical, and useful.
But once we get into "Cyber Security Frameworks" and iso-27001 audits, and a bunch of GRC (Governance) stuff, it feels...abstract, to the point of being work for work's sake, and not for actually getting the result of improved security.
Thoughts?
Jake Hildreth (acorn) :blacker_heart_outline:
@pseudonym I can tell you from assessing environments from very small to very large, the ones that have the best policies and procedures built out (typically to meet some framework or regulations) do tend to have the most secure environments. And more importantly, they know where their weaknesses and gaps lie.
Jake Hildreth (acorn) :blacker_heart_outline:
@pseudonym I would generally agree with that statement… except we still see customers who obviously have a great security culture (lots of stuff done well, engaged staff, knowledge of outstanding issues) but still miss some of the more basic stuff (weak password policies, no separation of duties) because they don’t have a checklist to follow.
Not sure if this makes sense, tho.
Pseudo Nym
Fair enough. But are we sure this isn't confusing correlation for causation?
I worry that the policies and procedures become an end unto themselves, for checkbox compliance.
Your observation can be explained by thinking there are robust security cultures, and weak ones, and the robust ones both understand the value of having and following frameworks, and also have good practice. But it's not clear to me that the frameworks cause the practice.
The culture causes both.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.