Comment by more_corn

Just because you’re not a security expert doesn’t mean security experts don’t exist.

And it certainly doesn’t mean security review is useless. You don’t even need to be particularly good to catch some of the worst things I’ve seen. Soc2 doesn’t necessarily mean you are secure but it does require the organization to do quite a few things that it’s a good idea to do. Periodic internal security review, having a password policy. There are few things in soc2 that are actually useless. Real security requires more than the compliance checklist, but the checklist isn’t a bad place to start.

Honestly deciding to care about security is a good place to start. Look at Colonial Pipeline. If they’d cared about security at all they could have hired a security engineer or even promoted a capable internal IT person to security engineer. That person could have even been wildly under qualified. Imagine going to work your first day as a security engineer, knowing you don’t know shit. What’s the first thing you do? Google security best practices. One of the top ten things is don’t share passwords. Another is don’t reuse passwords, another is rotate passwords when employees leave. (So write a password policy for the first two, but 1password, create a checklist Telford the third) Those three things would have prevented the thing that actually got them breached. The rest of the list of top ten would have prevented them getting ransomwared.

None of the bad security I’ve seen has been particularly hard to identify or fix. The problem has always been insufficient will to fix it.

I have yet to see an organization that implemented all of what I would call the easy stuff. I’d be thrilled to see it because it would mean we could dig into the truly hard stuff.