Sign up to save your podcasts
Or
Share Benefits of a Security Certification & Equifax Security Breach
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Benefits of a Security Certification & Equifax Security Breach
Show Notes: https://justinfimlaid.com/benefits-of-a-security-certification-&-equifax-security-breach/h
Sponsor: https://www.nuharborsecurity.com
Contact Me: https://justinfimlaid.com/contact-me/
Twitter: @justinfimlaid
LinkedIn: https://www.linkedin.com/in/jfimlaid/
A lot of companies
or agency executives are looking for a security certification or some kind of
assurance they can sleep well at night.
Truth of the matter is no security firm would assert that their clients
are bullet proof from a cyber security breach.
The threat landscape is shifting intraday and anything a security firm
would attest to today might be outdated by the time the team walks out of the
building. In our industry today - there
is no certification that offers this level of warranty. HITRUST, PCI-DSS, ISO27001, SOC Reports all
ensure that a process is in place not necessarily the rigor of the security
control in place and value of said control in the long run. The Knox Security
Certification, is the lone technical security certification but that also has
bounds to the warranty and very much requires that the company continue to
maintain the hygiene of their security posture as nothing in security is set it
and forget it.
Any potentially viable security certifications is in jeopardy because of this coupled with the fact there is so many people that misunderstand this concept. Case in point is the Equifax security breach. If you don’t know Equifax, congratulations on making it out from under your rock and listening to this first. Equifax is a large credit reporting bureau that holds credit and personal information for millions of people. The breach, impacted over 140 million people…which to put that in perspective is also HALF the citizens in the US.
Here’s the thing,
Equifax has an ISO27001 certification. The certification was delivered by Ernst
and Young and their EY CertifyPoint division. Some folks, including those at
Equifax, seemed to think this certification shielded them from breach. If you ever listened to any of my podcasts or
read anything I’ve written related to ISO27001, you know that ISO27001 simply
certifies you’ve followed a framework and methodology to choose security
controls—not whether those controls are right and complete security controls
for your environment. To add one more,
scope is a big component of ISO27001 and just because someone has an ISO 27001
certification doesn’t mean it for the environment they say it is. For example, some companies have an ISO27001
certification on their broom closet and say it’s for the whole company.
The issue with this
Equifax situation is that E&Y, according to MarketWatch, issued an attest
opinion that all security controls were complete and in place, which later
could not be supported. Aside from this
not being possible because it fails to acknowledge existance of the crystal
ball that predicts any and all zero day attacks, it’s also a conflict of
interest and violation of any accreditation rules.
To me this indicates
a huge lack of understanding OR purposeful negligence.
Further, commentary
View all episodes
By Justin FimlaidShow Notes: https://justinfimlaid.com/benefits-of-a-security-certification-&-equifax-security-breach/h
Sponsor: https://www.nuharborsecurity.com
Contact Me: https://justinfimlaid.com/contact-me/
Twitter: @justinfimlaid
LinkedIn: https://www.linkedin.com/in/jfimlaid/
A lot of companies
or agency executives are looking for a security certification or some kind of
assurance they can sleep well at night.
Truth of the matter is no security firm would assert that their clients
are bullet proof from a cyber security breach.
The threat landscape is shifting intraday and anything a security firm
would attest to today might be outdated by the time the team walks out of the
building. In our industry today - there
is no certification that offers this level of warranty. HITRUST, PCI-DSS, ISO27001, SOC Reports all
ensure that a process is in place not necessarily the rigor of the security
control in place and value of said control in the long run. The Knox Security
Certification, is the lone technical security certification but that also has
bounds to the warranty and very much requires that the company continue to
maintain the hygiene of their security posture as nothing in security is set it
and forget it.
Any potentially viable security certifications is in jeopardy because of this coupled with the fact there is so many people that misunderstand this concept. Case in point is the Equifax security breach. If you don’t know Equifax, congratulations on making it out from under your rock and listening to this first. Equifax is a large credit reporting bureau that holds credit and personal information for millions of people. The breach, impacted over 140 million people…which to put that in perspective is also HALF the citizens in the US.
Here’s the thing,
Equifax has an ISO27001 certification. The certification was delivered by Ernst
and Young and their EY CertifyPoint division. Some folks, including those at
Equifax, seemed to think this certification shielded them from breach. If you ever listened to any of my podcasts or
read anything I’ve written related to ISO27001, you know that ISO27001 simply
certifies you’ve followed a framework and methodology to choose security
controls—not whether those controls are right and complete security controls
for your environment. To add one more,
scope is a big component of ISO27001 and just because someone has an ISO 27001
certification doesn’t mean it for the environment they say it is. For example, some companies have an ISO27001
certification on their broom closet and say it’s for the whole company.
The issue with this
Equifax situation is that E&Y, according to MarketWatch, issued an attest
opinion that all security controls were complete and in place, which later
could not be supported. Aside from this
not being possible because it fails to acknowledge existance of the crystal
ball that predicts any and all zero day attacks, it’s also a conflict of
interest and violation of any accreditation rules.
To me this indicates
a huge lack of understanding OR purposeful negligence.
Further, commentary