Note I didn’t say that accountants and auditors don’t fill a necessary function. It’s that the InfoSec world has adopted concepts from public accounting that don’t transfer very well, primarily because InfoSec has a different intent.

It’s easy for those without a strong understanding of financial auditing, business governance controls, and IT legal liability – to make wrong assumptions about their efforts.

Sure – there are bad CPA IT auditors. But, for every CPA who can’t audit themselves out of a checklist paper bag, there’s 5 IT security assessor cowboys who have left gaping and costly “duh” non-technical IT governance gaps unaddressed.

Harden that non-target test server without sensitive data some more while CIO and CFO collude for more fraud….and defend those sys admins to have access to do anything they like – the ones paying the assessor for the next clean audit report and beers.

It’s not an exciting audit; but seg of duties is important – because MOST people do not do a bad thing when prevented from owning a process to self-benefit (i.e., Access Controls) or if subject to someone else’s potential ethics catching them.

CPA firm practices tend to strain all creativity out of auditors who can think outside the box. I agree that they should focus better on the right areas for the right reasons – but we could use a lot more well-rounded and balanced folks in both IT as well as CPA firms.

A few more years and IT security assessors will be as despised as lawyers and accountants.

“What gets measured gets improved.”

And

“It’s security for security’s sake.”

Amen. I’d pull some of those items out though and put them into a list of “fundamental laws” that really don’t ever need to be said because they’re so obvious, but they do formulate the bedrock of our approaches (kinda like scientific laws and simple statements make the foundation of more complex assertions).

“Compliant doesn’t mean secure. ”
“You don’t know what you don’t know.”
“Security is a journey, not a destination.”
“There is no silver bullet.”
“It’s security, it’s supposed to be hard.”

These are cliche only because too many people still bandy them about like new insights. Or, like you say, as thought-terminating cliches and you just want to slap someone for leaning on them too much.

I think it would be better not to point them as clichés but rather as bad formulations of good ideas.

For instance, “compliant doesn’t mean secure” is the typical sentence you’ll hear from someone who doesn’t want to speak more about a subject. That is, indeed, a thought-terminating cliché. Yet, you can’t say that it’s wrong…

For this particular point, I would rather say that compliance is one specific part of security. I would define security as Confidentiality, Integrity, Availability and Compliance (to legal and internal constraints). Less thought-terminating, it lets you see that you’d better run parallel processes for these different parts, with different audits, criteria, people, etc.

“Security is a journey, not a destination.” So true, but I would rather say that security is not a static asset, it’s a constant re-evaluation of security needs, more than everything else.

“There is no silver bullet.” That’s a word you could hear from a conscious CISO. I would however rather say that the review and enhancement of existing IT services (ITIL sense) and security measures is of more value than the implementation of ever-newer “security products”.

As for the list itself, I would happily add that item “You can’t reach 100% security.” or “There is no 0% risk.”

And for compliance, does a top/down, risk based, and business aware approach to security suffer because it is largely associated with large and brain-dead regulatory compliance frameworks? Guilt by association?

But it sure would be nice for every CISO to know that I have spent X $$$ securing this machine that is responsible for Y $$$ in revenue to the business. As a result, I will take people off of security project A to help fund security project B which will mitigate more risk to the business. Etc.

But most of the time I see it as a corporate maturity problem, rather than approach problem. Immature companies get that “oh sh!t” feeling and [b]something must be done[/b] right then right there. Rather that take an approach commensurate with their ability to embrace and enable changes they go for the end-goal in one shot and die mid-way.

Mature organisations know how much they can take on in one go and what is a priority and what isn’t. They get mature by surviving continuous trial and error.

Now if only there was a way to tell lucky companies from mature companies.

Actually, I think the central issue I’m having is with the juxtaposition you’ve set up in general. It’s apples and oranges, isn’t it? Things like the RMF are frameworks for addressing security considerations. Things like the CSC (of which I count NIST 800-53 among them) are just limited security control sets. These two concepts augment each other (one of the first steps in the RMF is control tailoring afterall, and CSC could very well be considered a sort of tailoring), but they do not (nor can they) supplant each other.

Or am I just way off here?

<3 this blog, btw. Keep up the good work!

Reread this over my Tuesday bagel… You’re right that I do sleep well at night, because it’s not about getting your suggestions implemented, it’s about suggesting the right thing! I’ve been lucky here — folks have listened, and I believe the organization is better for it. I now have a partner in crime and …wait for it… Government Top-Cover to show for it!!!

Only took three years!

Cheers!

Vlad

I would hope that any real assessment that is going to score a department and impact budget would have some wording about how maintaining that score requires a certain baseline of budget/effort/people and how ongoing changes in the environment also change risk and need to be addressed. Few things are truly static.

I may be operating a level lower than you, so look forward to reading more about your ideas!

I’ve read your stuff for a while and never commented, but I was having this same conversation during an assessment 2 weeks ago, hence this reply. I was discussing with a client how transparency into known risks was a “good thing”, because you can’t fix problems without some investment and you can’t justify investment without being able to show the problem. They wanted us to walk out giving them a squeaky clean report. (we won’t sacrifice integrity for clean results, if our business suffers, so be it…i just hope as an industry we aren’t racing to the bottom in this regard)

I think good assessment results should already include a split horizon concept. Some reports mandate a formal structure, but for those that don’t there should always an executive overview providing nuance and a big picture risk assertion. We need to explain and guide our customers as to what the risks mean to them. THIS is our value as assessors now that tools and methods have become somewhat of a commodity.

If results aren’t presented in a fashion to suit multiple audiences already, you are doing a disservice to your clients.