← Back to context

Comment by BrandoElFollito

2 months ago

Yes, I know it first-hand.

At least in cybersecurity, there are no certifications that "certify" that you are secure. There are plenty of them that will assess your processes, their execution, etc., but the reality of the risk is next door. This is typically the case for ISO 27001, which has ISO 27002 (the ex British Standard from the 90s) that theoretically governs the controls you should have in place. But it simply does not work.

When you have a major leak, this is usually a company with half a page of certifications, but, hey, mistakes happen. The key problem that these mistakes come from is a fundamentally wrong approach to cybersecurity, but nobody cares.

2 comments

BrandoElFollito

Reply
pas  2 months ago

can you please explain what is the wrong approach and how it would be correct/good?

  • BrandoElFollito  2 months ago

    I am speaking from the perspective of someone who has been running cybersecurity for 30 years in very large companies. It will be different from smaller-sized entities, where both the risk landscape and the capabilities differ.

    This is really a two-layered approach: you need to have a mechanism to manage your processes, and a real-life risk assessment. This last part is usually what fails most because there are not many people who can build a comprehensive risk analysis.

    The problem with risk analysis is that you either have consultants who read books about risk but never operationally managed cybersecurity (and they provide "high level" risks which as useless without the "low level" part), or tech people who understand their part very well and see it as the most important. Having a very good CISO is what helps.

    This CISO should also have politico-socialo-whatever leverage to make things happen. Put them in a position where their words are not the words of god and you fail immediately.

    A large company is absolutely not homogeneous - as opposed to what reports will state. There is usually a core that is well known, and then 10 or 100 tentacles of semi-controlled systems where bad things happen. This blindness to the reality of the company is what hits the hardest.

    How to manage a complex system is not for a HN comment, this requires time, resources and know-how. And leverage.