|
|
|
|
|
|
by evanjrowley
87 days ago
|
|
|
One of the exploitable mechanics of this scheme is the strategic division of labor between organizations who implement the controls, create the security documentation, and provide the sign-off. Generally, each side distributes their risk by involving others who they can blame when things go wrong. It is intentionally designed so that everyone involved, including the "cyber security experts", each have only a narrow view and must trust the others to do the right thing. Risk management is very much a broken game designed to please suits whose priorities are not real cyber security. |
|
|
The bug is when nobody actually verifies. The audit firm holds the mandate to look at the full picture. When they sign without doing that, independence becomes a gap. And right now, the bodies supervising those firms aren't enforcing anything when that happens.