Bill BernardOct 2, 2023

For #CyberSecurityAwarenessMonth, I'd like to start with a basic assumption we often seem to overlook:

If you don't need the data, don't keep it. Or put another way: you can't lose what you don't have.

Cheap (virtually unlimited) storage encourages us all (people and organizations) to keep lots of sensitive data we don't need - and there are plenty of examples of that coming back to bite people in sensitive places.

Show threadBill Bernard

We have just over a week left for #CyberSecurityAwarenessMonth. Seems like a great time to talk about compliance.

In the decades I've spent in this business, I've never seen compliance used successfully to push a broad security program. Here's what happens instead:

  • Organizations argue scope down to the barest possible limits so as to limit what they are responsible for
  • Security programs are then built to that barest possible scope, not for the organization as a whole
  • Organizations then shop for an auditor who will validate their interpretation - vs. one who will spur them to improvements

In short, compliance initiatives are seen by organizations as impediments to conducting business, and therefore deserving only of the smallest amount of attention and money that will satisfy the auditors. Your arguments for the need for and value of cyber security need to have relevance to the business/organization you're trying to protect, and compliance barely registers.

I'll readily admit, that as a wide-eyed, innocent security practitioner for whom security was a goal in and of itself, it took me way too long to learn this lesson for myself.

Oct 23, 2023 at 2:05pmWeb