Comment by torginus
2 months ago
Compliance is crazy sucky - I remember there being a case when one of our vendors was harvesting data like crazy, and we went after them. It was grossly in violation of GDPR, like as bad as it could get.
When we reached out to them, they showed us a cert about how they were GDPR compliant, issued by a huge brand-name consulting firm.
In the paper they said they implemented certain standard-mandated cryptographic measures to 'anonymize' the data. Thing is, they implemented them wrong on purpose, so that they could actually identify users by inverting hashes with a rainbow table.
There was a lot of BS legal reasoning in there but the bigname firm signed off on it. Oh and at the bottom, it had a provision, that if the company were to be sued for breach of GDPR, the consluting firm would not be liable any way.
But this was good enough for tons of companies and govt agencies to just use that software.
So that's what compliance certs get you.
Yes, I know it first-hand.
At least in cybersecurity, there are no certifications that "certify" that you are secure. There are plenty of them that will assess your processes, their execution, etc., but the reality of the risk is next door. This is typically the case for ISO 27001, which has ISO 27002 (the ex British Standard from the 90s) that theoretically governs the controls you should have in place. But it simply does not work.
When you have a major leak, this is usually a company with half a page of certifications, but, hey, mistakes happen. The key problem that these mistakes come from is a fundamentally wrong approach to cybersecurity, but nobody cares.
can you please explain what is the wrong approach and how it would be correct/good?
I am speaking from the perspective of someone who has been running cybersecurity for 30 years in very large companies. It will be different from smaller-sized entities, where both the risk landscape and the capabilities differ.
This is really a two-layered approach: you need to have a mechanism to manage your processes, and a real-life risk assessment. This last part is usually what fails most because there are not many people who can build a comprehensive risk analysis.
The problem with risk analysis is that you either have consultants who read books about risk but never operationally managed cybersecurity (and they provide "high level" risks which as useless without the "low level" part), or tech people who understand their part very well and see it as the most important. Having a very good CISO is what helps.
This CISO should also have politico-socialo-whatever leverage to make things happen. Put them in a position where their words are not the words of god and you fail immediately.
A large company is absolutely not homogeneous - as opposed to what reports will state. There is usually a core that is well known, and then 10 or 100 tentacles of semi-controlled systems where bad things happen. This blindness to the reality of the company is what hits the hardest.
How to manage a complex system is not for a HN comment, this requires time, resources and know-how. And leverage.