Being compliant within any of those frameworks does not make an organization secure. It's a good place to start, and will make the auditors happy, but assuming that (compliance equals secure) is a huge mistake.
> Being compliant within any of those frameworks does not make an organization secure.
I've gotten into breathless arguments with "cyber experts" who really don't understand this simple point. I've met people in industry who literally think that "filling out the paperwork and having a risk committee accept risks or prioritize a schedule to get into compliance" equals "our systems are now secure".
It's a massive self-serving industry incentivized to enrich itself and not secure systems. If they were successful at designing, deploying, and maintaining secure systems, there wouldn't be an industry.
I’ve really been of the opinion as of late that if we took just a small fraction of the time and manpower we waste on pedantic security framework adherence and put it towards training actual staff to and experts to be better cybersecurity professionals, we’d be better off.
I agree with this notion. The issue is you need the security attestation and certifications to give folks in the sales cycle the warm fuzzies. These pedantic measures are directly a pathway to sales enablement and revenue. The actual securing and maturity work is a side benefit.
On the other side of the coin, if a vendor does not have paperwork and evidence to support their programs - how does one as a purchaser or security reviewer verify? Organizations only act truthful to an extent that benefits them. Quality of audits and supporting paperwork is a real mixed bag. Unless you’re an Amazon you’re not going to get the chance to audit your vendors and sub processors outside of reviewing this type of documentation.
I'd push back on this, and say it's a pretty distinctively bad place to start, unless you're starting at Allstate in a parallel universe where Allstate hasn't spent the last 20 years doing this stuff and indirectly influencing these frameworks.
These frameworks don’t guarantee security, but there is a stark difference between companies that do this and those who don’t. Companies that follow these frameworks are at least attempting to be secure.
In my experience, the companies not following these frameworks aren't even _performing_ security.
Everyone here is correct that you need more than just these frameworks/audits to be secure. However, most companies that are secure following these frameworks. If you're secure, these frameworks are a no-brainer to certify against.
I've gotten into breathless arguments with "cyber experts" who really don't understand this simple point. I've met people in industry who literally think that "filling out the paperwork and having a risk committee accept risks or prioritize a schedule to get into compliance" equals "our systems are now secure".
It's a massive self-serving industry incentivized to enrich itself and not secure systems. If they were successful at designing, deploying, and maintaining secure systems, there wouldn't be an industry.