Recently I had a hypothetical conversation with our marketing director about “what if” a spokesperson or responsible party for a government agency, local municipality, regulated organization or business of any size stood up in public and said:
“Yes, we got hacked. But we have a SOC 2 report, ISO 27001 certification and/or other proof that we have a robust information security posture. No system is bulletproof. We did the best we could be expected to do. In this day and age, getting hacked is inevitable. Our credibility remains intact. Thanks and have a nice day.”
Any business or government entity that holds up a security attestation to stakeholders, let alone the public, should keep one key fact in mind: Aligning with a security framework doesn’t make you secure—it just makes you compliant.
If you got breached, it was probably because you didn’t do enough to manage information risk and secure information assets. For example:
- Did you provide security awareness training to employees to help block ransomware attacks?
- Did your third-party risk management program reveal that one of your high-risk vendors was hiring career criminals?
- Is your ISO 27001 information security management system (ISMS) mature across your organization… or just one location?
- Whatever the scope of your ISO 27001 ISMS, how well are you managing/executing on it? Did you follow through on your security objectives in agreed timeframes?
- Is there a check-the-box mentality in any aspect of your InfoSec program?
You could have an InfoSec attestation and still fail on all the above questions.
Bottom line: Did you get that attestation just to hand a certificate to someone? Or did you get it so that you could actually manage risk well, in accordance with best practices and with a roadmap for continuous improvement?
“But most of the time hackers exploit something much more preventable in your attack surface.”
It’s no secret that many companies maintain certifications or attestations mostly for sales and marketing related reasons. There is no shortage of projects out there where the client hasn’t done anything with its information security program for nine months, and is now scrambling to get everything propped up so they can get that box checked again.
Is it true that no security program is bulletproof? Yes. For example, you might be hit by a zero-day attack against an undiscovered vulnerability in a COTS product. But most of the time hackers exploit something much more preventable in your attack surface.
If you’re looking to get your information security program solidly on track or address specific stakeholder concerns, contact Pivot Point Security to brainstorm with an expert on next steps.