I’ve been paying very close attention to communities such as this subreddit, podcasts, news articles, and in my own personal, anecdotal experiences. I can’t help but notice this trend of businesses assuming that because they passed an audit at a point in time that they are now “secure.”
For example, the VDA TISAX audit is one such audit. The basic premise is sound. It covers many controls that directly correlate to the ISO 27001:
* Information Security
* ISMS – Policy
* ISMS Management Review
* Criticality Rating of Customers
* IT Operation Manual
* Checkout Sheet for Employees, Legal Document Retention, Document Management, Ownership Lists, Permissions Management
* Security Policies
* Commitment on Data Secrecy
* Cryptography Policy
* Connection to 3rd Parties
* ISMS Policy
* Guidelines for New Employees
* Data Protection
* Data Protection Handbook
* Data Clearing Concept
* Audit Protocols
* ISO 27001 Certification
* Records of Processing Activities
* Prototype Protection
* Security Zone Concept
* Training Material
* Security Policies
…however, at the end of the day, it’s still an audit. It’s a check in a point in time. It’s also incredibly open to interpretation and there are many levels of maturity to be considered.
For example, you can be evaluated and provide enough evidence to achieve maturity level 4 for Prototype Protection, but does that mean the company is secure from tangential threats? Of course not. If we think about what companies rely on for day-to-day business, it become clear rather quickly that targeted attack resilience is lacking first and foremost, but many other areas fail as well. Chaining threat vectors or simply denying services is enough to disrupt a business into taking “creative actions.”
Many assume that a business will simply just “be down” given certain circumstances; however, this is inherently false. Managers will always seek the path of least resistance and find creative means to operate. The pandemic in 2020 was an example of this. Many companies jumped onboard with Zoom amidst a host of vulnerabilities in it’s functioning and infrastructure. Others implemented rushed remote desktop solutions without even so much as a VPN connection. Several others still sent workers home with secure and proven solutions to both but failed to train employees against phishing attacks that opened the doors to the networks regardless.
What does TISAX say about these topics? “Do you have encrypted communications?” Yes. Checkbox checked. Moving on. “Do you have security awareness training?” Sure, we do it annually. Great! Moving on.
The problem here in my estimation is a lack of wholistic and dynamic verification. Simplification and automation are in desperate need as well. If it takes your team a month to gather evidence to prove you can pass an audit, you’re in trouble. How do we get across to managers that the businesses’ infrastructure is just as much of a living ecosystem as the business itself? I have opinions on that, but let’s stick to the TISAX and audits in general.
There needs to be an easy way to evaluate what “flavor” the business infrastructure is and then assign open points or vulnerabilities automatically… …change management meets risk management meets cyber security so to speak.
It’s clear in 2021 with the overwhelming tide of breaches and ransomware attacks that “this is what we’ve always done” isn’t cutting it anymore. This includes auditing. Yes, certifying is helpful, but it’s just a piece of paper. It doesn’t jump up and take active defensive countermeasures when your backup servers are being encrypted during the holidays.
Context is king, and TISAX is one of many examples of an abdicated throne of contextual security in enterprise today. We can’t afford to be confused anymore. When there are millions / billions of dollars, people’s jobs, and geopolitical stability at stake, what really is the excuse going to be? “But, we just had an audit last week that said we were good!”
Can we all agree that audits are just a piece of the puzzle to glimpse the security posture? Realistically, we need to do better, but how do we get this message across without being viewed as a Chicken Little?
I open the discussion to the group. Do you have any insights or anecdotes? Am I wrong and why?