Crooked logic in action:
"We are compliant! So, all is fine!".
is the same nonsense as:
"We have a smoke alarm! So, we don't need fire extinguishers"
When reporting to an organisation that test results prove several fundamental shortcomings in the protection structure. Showing that the organisation has not managed to factually implement a structure in line with their chosen guidelines and/or official regulations.
This self-deception statement: "But, we are compliant!", is made by most CEO's, Certified Security Officers, Department managers, Politicians, bureaucrats, ...after some arbitrary auditor was paid to put a signature on a checklist report, after merely checking a superficial samples slice from all the requirements for compliance.
With that "We are compliant!" statement there seems to automagically come an exclusion of interest in evidence that not all is fine, perhaps in fact not even Compliant.
In other words: the responsible people in all their complacency do not want to know that their building is on fire, when they still have the receipt for the expensive smoke alarm in their wallet. Never even having read the manual, which states that the device does not prevent fire.
Consequently, the complicity to neglect their duty,
to at least examine any evidence which contradicts their belief,
has thus become a risk factor in itself!
↻..Closing the self-deception loop back to the beginning..
The described situation is currently the norm rather than an exception.
The reason why that situation exists, can be found in Paper28a.
Example major incidents, which could have smoothly been prevented, can easily be found in news headlines because there are so many of them all the time. Like all those 'fully certified' organisations which had been warned about security flaws and subsequently being hacked. But... did not act on the warnings because they convinced themselves they had already done all they 'needed to do', ...
..until after a journalist got wind of it.
If for some reason your organisation wants to be compliant with a 'security' standard or framework,
like ISO27001 variations or ISO 15408, IEC 62443, NIST-CF, COBIT, etc.., etc...
Then you can better handle the visit from the auditor like a visit from an old-fashioned mother in law.😉
Polish the silverware to make her happy, but use stainless steel cutlery to eat with.
The label on the silver polish paste bottle shows that it's toxic.
Most organisations lose their autonomy with its unique edge ..after being dragged into adjusting to the one-size-fits-all "standards" mono-culture.
But if the leading people in your organisation are able to be pro-active, then one can use ASCS to facilitate a natural safeguard structure.
After which you can comply with any chosen 'security' standard without much effort.
Feel free to request a chat, to learn how it works.
