Can't speak directly to this, but just to add to the sentiment here - no breach was ever prevented through the application of pen to paper in the shape of a check mark.
If an organisation has the money to spend on doing ISO or something else, it should put the money towards someone who actually has some good skills and knowledge in security and can advise them.
An organisation that recognises the business value in being secure (less risk of fines, reputational damage, more ability to win work with lucrative large organizations) is already in a good place as they've crossed the first hurdle!
The issue with certificates like ISO (and indeed any other kind of kitemark for security) in my view is that it presents the opinion of one (probably inexperienced and cheap) junior person as to whether what you presented them with on the day sounded to comply with a rule. No focus on whether the mitigation is effective. No focus on whether it's relevant or appropriate. No focus on whether it's adequate, or how it sits in relation to the capabilities of a motivated adversary.
A decent understanding of your threat model, your exposure, and how you plan to invest to improve would be far more valuable. Second to this is to then avoid buying snake-oil vendor security products that aren't effective - many of the big organisations breached through solarwinds offer incredibly expensive "AI"-based cyber tools as those are in vogue. Yet all were compromised by a silly supply chain breach from some proprietary DLL a third party vendor was shipping into organisations, which was blindly trusted.
Getting a basic understanding of the old fashioned principles of security and having someone help you take technical measures will be a load more effective than producing paperwork to keep a junior auditor happy.
> If an organisation has the money to spend on doing ISO or something else, it should put the money towards someone who actually has some good skills and knowledge in security and can advise them.
These certifications are all about shifting blame and minimizing liability. They come up with these stupid standards that do nothing, certify their own compliance and then when they get owned they say "don't look at us we followed established best practice".
They don't actually care about actual security. To anyone who actually cares, the right way to do things will be painfully obvious. Instead we get people who scrutinize the standards in order to find the easiest, cheapest way to fulfill the requirements. Backup? Just copy the MySQL directory! Hashes? MD5 will do. Why encrypt data at all if it's only being transmitted on a local network? And so on...
There are legitimate concerns about the usability of secure medical software but I don't think that excuses some of the absurdities I've seen...
It’s even worse than that. Many of the compliance standards do require best practices, in most circumstances. For example, CSF, RMF, NIST 800-53 or 171 are all relatively sound from a technical perspective (e.g., data at rest must be encrypted, encryption must be FIPS-validated encryption, etc.).
Unfortunately with ISO 27001, NIST 800-171, etc., is that people see having written down policies as evidence of implementation of proper controls. If you have a policy that says you use role based access control, you have to actually do it. If you ha be a procedure that says you backup sensitive data to X alternate location and perform failover tests annually, you have to actually do it.
It’s sad, but 85% of compliance assessors I have worked with essentially look for “do you have a policy? Does that policy say the things the standard says it should? You’re compliant!”.
I blame the companies in part, but I also blame the people who are trusted to objectively and competently evaluate the system’s level of compliance. The standards and assessing compliance to them is great in theory, but in practice, people are...people.
The few areas I will say have succeeded are NIST 800-53/FISMA and FedRAMP. They are not perfect (see: SolarWinds), but the bar for obtaining an ATO and/or FedRAMP accreditation is relatively high.
I agree with largely everything which has been said, but have fallen back on ‘whelp, having even a shitty standard is better than nothing at all, because at least then people have anitivius’. I also would prefer to see an org with whitelisting and ASR enforced office over AV (if they had to be mutually exclusive), but alas we as an industry tell people to waste their time with things that don’t matter all to pass some checkbox security test to at least obtain some baseline. Some of this is probably greed/scams in the case of self-appointed standards (CREST for instance) where others legitimately are at least trying to solve the problems.
How do we solve these issues without upskilling a bunch of people who don’t know/care about security? Is there even a solution, or are we just bound to hit some mr robot-esk post apocalyptic scenario before people get their shit together?
Hard to say. In some industries I think it is unnecessary and if they face a breach, sucks to be them, but not a whole lot is likely to be lost/damaged.
In industries where it is a necessity (e.g., government, payment processors, healthcare organizations, etc.), I think there are several things that could encourage adoption.
However, fear of distant future possible outcomes is probably one of the weakest human motivators.
If I could advocate for an approach, it would be through tax incentives, government underwritten insurance that requires adherence and practice of security controls, etc.
My thought is, we can very likely encourage Cybersecurity practices using the same tools we use to say, stimulate the economy (e.g., providing liquidity to housing markets, tax rebates for first time homebuyers, etc.) or adoption of lower emission energy technologies (e.g., tax rebates on purchases of electric vehicles).
Unfortunately, people and government have not seemed to want to make the investment necessary to implement methods I’ve suggested above. Which is bizarre, because some of what we have lost and continue to lose is priceless (e.g., OPM government employee records, IP related to military technologies, etc.).
If an organisation has the money to spend on doing ISO or something else, it should put the money towards someone who actually has some good skills and knowledge in security and can advise them.
An organisation that recognises the business value in being secure (less risk of fines, reputational damage, more ability to win work with lucrative large organizations) is already in a good place as they've crossed the first hurdle!
The issue with certificates like ISO (and indeed any other kind of kitemark for security) in my view is that it presents the opinion of one (probably inexperienced and cheap) junior person as to whether what you presented them with on the day sounded to comply with a rule. No focus on whether the mitigation is effective. No focus on whether it's relevant or appropriate. No focus on whether it's adequate, or how it sits in relation to the capabilities of a motivated adversary.
A decent understanding of your threat model, your exposure, and how you plan to invest to improve would be far more valuable. Second to this is to then avoid buying snake-oil vendor security products that aren't effective - many of the big organisations breached through solarwinds offer incredibly expensive "AI"-based cyber tools as those are in vogue. Yet all were compromised by a silly supply chain breach from some proprietary DLL a third party vendor was shipping into organisations, which was blindly trusted.
Getting a basic understanding of the old fashioned principles of security and having someone help you take technical measures will be a load more effective than producing paperwork to keep a junior auditor happy.