[academia_hack]

My personal take on the land of cyber security frameworks - and especially security standards - is that a good security team should be able to read through a list of controls (e.g. those in NIST 800-171) and express a reasoned opinion on each one with respect to the company's security posture. They are fantastic tools for reminding you what things you might have overlooked and driving a discussion about how your organization is approaching security - basically regardless of what type of company you run.

That's where the value stops - once you give lawyers, policymakers, and insurance companies access to these documents it becomes an unending game of regulatory capture, responsibility derogation, and box-ticking.

You end up with people who have zero context for technology running around demanding to see evidence that your smart toaster implements 12.2.14.1.5b "The centralized time server must enforce separation of duties" before it can be added to the network or some other such incoherent nonsense.

These standards always start in the right place, but they get used in the most frustrating ways because people who don't understand how technology works are, invariably, the auditors and assessors who apply these standards since true technologists can easily find more gratifying jobs doing literally anything else.

[tptacek]

The other bad thing they do is encourage technologists who aren't security subject matter experts to invest in programs and tools that aren't valuable, either at their current state or, in some cases, ever. They create the impression that there is an important checklist of things that most companies need to have, and if such a checklist exists, not one of these frameworks captures it.

[dumpsterdiver]

Yeah, unfortunately a lot of checkboxes only serve to expand the attack surface in many cases.

[killjoywashere]

> a lot of checkboxes

Yeah, I'm self taught on this stuff, but I've started to think that's not all bad. I literally downloaded every one of the NIST 800 series, the FIPS series, the CNSSIs, all of it, and went through everything to figure out what connected with what. Most of it is pretty damn obvious. You should secure your internet-facing servers, sanitize inputs, never hold actual passwords in a database, use some form of 2FA, etc.

But there are a lot of dudes with degrees in "cyber-something" or "IT something" who lord over me with their government-bestowed positional authority (I'm just the clinical informatics physician with an undergrad in physics from a top school and teach machines to diagnose disease, trying to deploy things to actually save lives, so what the fuck could I possibly know about the dark arts of cybersecurity? "Oh, god, here he is talking to us about numbers again, borrrringgggg. I bet he's going to ask us when the GPUs are going to be on contract. Again. Like, bro, we'll get to it. Later.")

Come to find out a lot of these fuckwads speed-click through their ATO checklists. Shockingly, the timestamps on the checkboxes are all on the Thursday afternoon before the Tuesday "surprise" inspection that happens the same week of the year every time, run by the guy who they used to work for at the last gig.

And then the guys actually trying to get shit done get drowned by the 50 fucking drones who all show up to the weekly meetings and pipe up with their 30 seconds worth of input. And the guy trying to actually deploy product spends the rest of the week establishing that the drone didn't actually know what the fuck was going on in the meeting and just blurted something out at the appropriate moment, relying on the last 30 seconds of banter to guide his statements.

Not that I'm bitter or anything...

[bamboocancer]

Welcome to the government.

[hayst4ck]

Positive change starts with someone acting on the thought "it doesn't have to be this way."

Fatalism and cynicism are comfortable because they don't ask you to do anything.

Cynicism is ultimately resigned consent.

How many security professionals here have actually sent a thought out letter to their congressperson or the NIST directly? How many people who express the negativity in this thread have tried to e-mail someone in a position of institutional authority or a tech related think tank? How many people have given government service a try? How many people have waited for a security catastrophe and then e-mailed someone who might be able to change policy? How many people have looked up a law and tried to reverse engineer who wrote it and who can influence it?

How many people have tried and failed?

When everyone thinks like yourself, it becomes a self fulfilling prophecy.

[MattPalmer1086]

Recognise!