I used to work for the government on systems with extremely sensitive data. I’m talking… penitentiary consequences for data leaks. 90% of the Information Security employees didn’t even have a background in tech OR security.
You’d be surprised how incompetent an auditor can be if the security framework simply requires them to blindly fill in responses on boilerplate spreadsheets based on the department’s word alone.
For example, risk assessments are performed for all new applications requested by employees.
InfoSec: Does this COTS web application have X security control which protects data in transit via encryption acceptable for use in our operating environment?
Some bozo from marketing: Yeah, I’m pretty sure.
In truth, neither of them are sure. The requester didn’t check, and the auditor saw the word “encryption” on the vendor’s website along with a green padlock in the address bar and that was good enough.
The auditor doesn’t even know how check the ciphers being used for this sketchy web application. The control also requires TLS 1.2+ due to the sensitive nature of the data. The auditor marks the security control as “Met” and approves the software request.
The auditor is completely incompetent, but is used as a pawn in an elaborate game of “security theater” to abstract away liability.
Also, even if the hypothetical security control in the example above wasn’t met, the head of marketing (System Owner) could request an exception be created to skip that security control.
Wait, qzx_pierri, you’re telling me that the security control can be skipped? How the hell is that a security CONTROL?
I don’t know, and that’s why I quit that depressing industry. To everyone reading this: Stay paranoid, and protect your data yourself if it’s on someone else’s server. "Security" (in America, at least) is often complete bullshit.
You’d be surprised how incompetent an auditor can be if the security framework simply requires them to blindly fill in responses on boilerplate spreadsheets based on the department’s word alone.
For example, risk assessments are performed for all new applications requested by employees. InfoSec: Does this COTS web application have X security control which protects data in transit via encryption acceptable for use in our operating environment?
Some bozo from marketing: Yeah, I’m pretty sure.
In truth, neither of them are sure. The requester didn’t check, and the auditor saw the word “encryption” on the vendor’s website along with a green padlock in the address bar and that was good enough.
The auditor doesn’t even know how check the ciphers being used for this sketchy web application. The control also requires TLS 1.2+ due to the sensitive nature of the data. The auditor marks the security control as “Met” and approves the software request.
The auditor is completely incompetent, but is used as a pawn in an elaborate game of “security theater” to abstract away liability.
Also, even if the hypothetical security control in the example above wasn’t met, the head of marketing (System Owner) could request an exception be created to skip that security control.
Wait, qzx_pierri, you’re telling me that the security control can be skipped? How the hell is that a security CONTROL?
I don’t know, and that’s why I quit that depressing industry. To everyone reading this: Stay paranoid, and protect your data yourself if it’s on someone else’s server. "Security" (in America, at least) is often complete bullshit.