Martin Boller     

And again...
After a loooooong week of audit I once again have to conclude that ISO27k et al audits do not do anything for security but merely produce paper.

The time wasted in these audits could've been used to improve protection and increase speed of detection/response.

But hey a lot of people earned a living having meetings and writing hollow documents.

An exercise in pointlessness, keeping us from doing RealSecurity™

#ISO27k #Audit #NotStoppingHackers #CyberSecurity #Detection #Response #Protection
#RealSecurity

Mar 22, 2024 at 4:27pmWeb
Show threadClaus Cramon HoumannMar 22, 2024
@itisiboller https://code.europa.eu/groups/ec-digit-s2/opentide/-/wikis/Blog/%5B2024-03-11%5D-OpenTIDE-1.0-Release :)
[2024 03 11] OpenTIDE 1.0 Release · Wiki · OpenTIDE · GitLab

Open Threat Informed Detection Engineering is the European Commission DIGIT.S2 (Security Operations) open source initiative to build a rich ecosystem of tooling and data supporting Cyber Threat Detections.

GitLab
Show threadFlorencio CanoMar 22, 2024
@itisiboller many companies only want ISO 27001 certification to say that they have it, not as a consequence of good security. Also, many auditors are not security experts. The problem here is not the standard or the compliance or audit fuctions; the problem are people not doing the right thing.
Show threadMartin Boller     Mar 23, 2024
@florenciocano Agree to a certain extent, but would still argue that compliance should be the byproduct of good security, and that e.g. ISO27k isn't designed to support that.
Show threadFlorencio CanoMar 23, 2024
@itisiboller I 100% agree compliance should be a byproduct of good security! But personally, I do like ISO27k. Why do you say it is not designed for it? Could you tell me one example? Thanks!
Show threadMartin Boller     Mar 23, 2024

@florenciocano I guess you're right and it is the people, however over the course of many decades in this industry I have only ever met one auditor that had the competence to take that approach - Every other time it has been check mark compliance; √ this √ that √ blah.

The large compliance frameworks are also too static, for many years myths such as those around passwords were perpetuated, personally used way too many hours on convincing auditors that our use of long passphrases were better than their stupid 8 characters/complex/change every 90 days - including colleagues at the time (PC-DSS, but..).
Again copious amounts of time wasted and frustration during which we were less secure and the (few) that were actually improving security were suffering from severe "compliance-fatigue". Have even seen good measures being rolled back because of this.

Last rant was https://www.infosecworrier.dk/blog/2018/04/stupid-never-dies.html

I'd rather have a longer dialog over an espresso, though ;)

Stupid Never Dies

Information Security in the Seventh Circle of Hell

Infosec Worrier
Show threadMartin Boller     Mar 23, 2024
@florenciocano ;)