Show Notes: https://justinfimlaid.com/benefits-of-a-security-certification-&-equifax-security-breach/h

Sponsor: https://www.nuharborsecurity.com

Contact Me: https://justinfimlaid.com/contact-me/

Twitter: @justinfimlaid

LinkedIn: https://www.linkedin.com/in/jfimlaid/

A lot of companies or agency executives are looking for a security certification or some kind of assurance they can sleep well at night.  Truth of the matter is no security firm would assert that their clients are bullet proof from a cyber security breach.  The threat landscape is shifting intraday and anything a security firm would attest to today might be outdated by the time the team walks out of the building.  In our industry today – there is no certification that offers this level of warranty.  HITRUST, PCI-DSS, ISO27001, SOC Reports all ensure that a process is in place not necessarily the rigor of the security control in place and value of said control in the long run. The Knox Security Certification, is the lone technical security certification but that also has bounds to the warranty and very much requires that the company continue to maintain the hygiene of their security posture as nothing in security is set it and forget it.

Any potentially viable security certifications is in jeopardy because of this coupled with the fact there is so many people that misunderstand this concept.  Case in point is the Equifax security breach. If you don’t know Equifax, congratulations on making it out from under your rock and listening to this first.  Equifax is a large credit reporting bureau that holds credit and personal information for millions of people.  The breach, impacted over 140 million people…which to put that in perspective is also HALF the citizens in the US.

Here’s the thing, Equifax has an ISO27001 certification. The certification was delivered by Ernst and Young and their EY CertifyPoint division. Some folks, including those at Equifax, seemed to think this certification shielded them from breach.  If you ever listened to any of my podcasts or read anything I’ve written related to ISO27001, you know that ISO27001 simply certifies you’ve followed a framework and methodology to choose security controls—not whether those controls are right and complete security controls for your environment.  To add one more, scope is a big component of ISO27001 and just because someone has an ISO 27001 certification doesn’t mean it for the environment they say it is.  For example, some companies have an ISO27001 certification on their broom closet and say it’s for the whole company. 

The issue with this Equifax situation is that E&Y, according to MarketWatch, issued an attest opinion that all security controls were complete and in place, which later could not be supported.  Aside from this not being possible because it fails to acknowledge existance of the crystal ball that predicts any and all zero day attacks, it’s also a conflict of interest and violation of any accreditation rules.

To me this indicates a huge lack of understanding OR purposeful negligence.

Further, commentary from former SEC Chiefs…I’m withholding names since I don’t know if quotes are taken out of context BUT one head scratching quote, I’m paraphrasing, “there’s  question concerning how much reliance should be placed on the ISO certification when assessing internal controls over financial reporting.”

Uhh…you think? I can help out there…none.  There should be no reliance.  The context of the control is COMPLETELY different than what you would expect for a SOX 302 or 404 control.

This brings me to the belief that there continues to be a huge and massive misunderstanding of security controls at the highest level of organizations and within organizations that are supposed to be a trusted security advisor.

More often than not I see accounting firms fulfilling this assessment and assertion role within business. 

BUT who did Equifax call when they needed security clean up and investigation?  A Security Firm.  They called a Security Firm to try to fix stuff.  This seems to be a trend, the security firm is called as reactionary action.  What if the security firm was called first to do the proactive assessment? 

I’ll leave you with this.

You’d never hire a security company to advise on your accounting so why do we keep asking accounting firms to advise on security?