You don’t even have to check boxes for ISO 27001 these days. All you need to do is pay “consultants” in certain foreign countries about $5k and you magically receive your certification.
Can't speak directly to this, but just to add to the sentiment here - no breach was ever prevented through the application of pen to paper in the shape of a check mark.
If an organisation has the money to spend on doing ISO or something else, it should put the money towards someone who actually has some good skills and knowledge in security and can advise them.
An organisation that recognises the business value in being secure (less risk of fines, reputational damage, more ability to win work with lucrative large organizations) is already in a good place as they've crossed the first hurdle!
The issue with certificates like ISO (and indeed any other kind of kitemark for security) in my view is that it presents the opinion of one (probably inexperienced and cheap) junior person as to whether what you presented them with on the day sounded to comply with a rule. No focus on whether the mitigation is effective. No focus on whether it's relevant or appropriate. No focus on whether it's adequate, or how it sits in relation to the capabilities of a motivated adversary.
A decent understanding of your threat model, your exposure, and how you plan to invest to improve would be far more valuable. Second to this is to then avoid buying snake-oil vendor security products that aren't effective - many of the big organisations breached through solarwinds offer incredibly expensive "AI"-based cyber tools as those are in vogue. Yet all were compromised by a silly supply chain breach from some proprietary DLL a third party vendor was shipping into organisations, which was blindly trusted.
Getting a basic understanding of the old fashioned principles of security and having someone help you take technical measures will be a load more effective than producing paperwork to keep a junior auditor happy.
> If an organisation has the money to spend on doing ISO or something else, it should put the money towards someone who actually has some good skills and knowledge in security and can advise them.
These certifications are all about shifting blame and minimizing liability. They come up with these stupid standards that do nothing, certify their own compliance and then when they get owned they say "don't look at us we followed established best practice".
They don't actually care about actual security. To anyone who actually cares, the right way to do things will be painfully obvious. Instead we get people who scrutinize the standards in order to find the easiest, cheapest way to fulfill the requirements. Backup? Just copy the MySQL directory! Hashes? MD5 will do. Why encrypt data at all if it's only being transmitted on a local network? And so on...
There are legitimate concerns about the usability of secure medical software but I don't think that excuses some of the absurdities I've seen...
It’s even worse than that. Many of the compliance standards do require best practices, in most circumstances. For example, CSF, RMF, NIST 800-53 or 171 are all relatively sound from a technical perspective (e.g., data at rest must be encrypted, encryption must be FIPS-validated encryption, etc.).
Unfortunately with ISO 27001, NIST 800-171, etc., is that people see having written down policies as evidence of implementation of proper controls. If you have a policy that says you use role based access control, you have to actually do it. If you ha be a procedure that says you backup sensitive data to X alternate location and perform failover tests annually, you have to actually do it.
It’s sad, but 85% of compliance assessors I have worked with essentially look for “do you have a policy? Does that policy say the things the standard says it should? You’re compliant!”.
I blame the companies in part, but I also blame the people who are trusted to objectively and competently evaluate the system’s level of compliance. The standards and assessing compliance to them is great in theory, but in practice, people are...people.
The few areas I will say have succeeded are NIST 800-53/FISMA and FedRAMP. They are not perfect (see: SolarWinds), but the bar for obtaining an ATO and/or FedRAMP accreditation is relatively high.
I agree with largely everything which has been said, but have fallen back on ‘whelp, having even a shitty standard is better than nothing at all, because at least then people have anitivius’. I also would prefer to see an org with whitelisting and ASR enforced office over AV (if they had to be mutually exclusive), but alas we as an industry tell people to waste their time with things that don’t matter all to pass some checkbox security test to at least obtain some baseline. Some of this is probably greed/scams in the case of self-appointed standards (CREST for instance) where others legitimately are at least trying to solve the problems.
How do we solve these issues without upskilling a bunch of people who don’t know/care about security? Is there even a solution, or are we just bound to hit some mr robot-esk post apocalyptic scenario before people get their shit together?
Hard to say. In some industries I think it is unnecessary and if they face a breach, sucks to be them, but not a whole lot is likely to be lost/damaged.
In industries where it is a necessity (e.g., government, payment processors, healthcare organizations, etc.), I think there are several things that could encourage adoption.
However, fear of distant future possible outcomes is probably one of the weakest human motivators.
If I could advocate for an approach, it would be through tax incentives, government underwritten insurance that requires adherence and practice of security controls, etc.
My thought is, we can very likely encourage Cybersecurity practices using the same tools we use to say, stimulate the economy (e.g., providing liquidity to housing markets, tax rebates for first time homebuyers, etc.) or adoption of lower emission energy technologies (e.g., tax rebates on purchases of electric vehicles).
Unfortunately, people and government have not seemed to want to make the investment necessary to implement methods I’ve suggested above. Which is bizarre, because some of what we have lost and continue to lose is priceless (e.g., OPM government employee records, IP related to military technologies, etc.).
There are companies in certain developing countries who will skirt the rules on providing consulting and auditing/monitoring to the same company.
They do it for just about any ISO cert, not just ISO 27001.
It is a bit of a dirty secret with companies who work in heavily regulated industries. The companies in question will go through the motions, but make no mistake, you pay for the cert.
Sorry for being vague, just not looking to publicly out anyone. If you Google around, I’m sure you can find more about what I am talking about/much of the controversy around many of the ISO governing bodies.
> There are companies in certain developing countries who will skirt the rules on providing consulting and auditing/monitoring to the same company.
Welcome to my live :) We 'hired' these experts since they came up with the lowest price offer for our certification. I have been through many certifications in the past, this was one was the most... shameful.
Pathetic grasp of English, IT in general and security controls specifically. We passed that in absolutely zero time, if you exclude the time spend having lunch and 'discussions' about the interpretation of the requirements.
This was PCI BTW.
Next was the local healthcare certification, done by an international auditing firm. Possibly even worst. Total paper tiger exercise. Total lack of understanding of current security standards. Nice ties & suits though and even better lunches to discuss (you guessed it) the interpretation of the requirements.
I get why these guys get the jobs: they know the right people and look the part. But boy, would it not be nice if experts could do these jobs.
