There are many (limited scope) testing products and audit methods these days.
Some fully automated with fancy colourful graphs, some a procedure with a checklist.
- The fully automated ones tend to have narrow focus, produce false positives and miss out on the unanticipated.
- Checklist procedures require a very competent person who is allowed to modify the checklist when noticing unanticipated situations.
Both methods are used for one specific purpose, to discover a subset of well known (mainly technical & procedural) flaws. ...Only those flaws which just happen to be active and detectable at the time the tests are done.
We discovered that there is a far more useful and quicker way to see how well an organisation is prepared.
By testing for key symptoms which are always visible from the outside. This has the added advantage that it covers more than one specific type of area, thus creates a more meaningful picture of the general protection level of the organisation with its technical, structural, legal, compliance and organisational aspects.
This indicator testing method works well because of mainstream:
~ mono-culture
~ default mistakes
~ conflicts of interest
~ misconceptions
~ a typical type of stubbornness , caused by learned helplessness
~ a certain type of apathy / laziness
~ blind spots
Those combined are causing close to all of the protection flaws.
So, rather than wasting a lot of time, money & other resources on:
Setting up test equipment and running huge batches of predefined tests against large numbers of technical infrastructure items, and then some more time on extracting and presenting the relevant information (while avoiding all tests which may destabilise anything in an operational structure). Just to find out what may be wrong on the technical and/or procedural side.
Or getting very expensive auditors with accompanying commercial consultants, to walk around buildings while asking many questions and reading stacks of (often outdated & tainted) documentation, to translate it all that into 'facts' that fit into a chosen model.
A chosen model which is used to formulate outcomes with 'statistical precision'; linked to a set of advice with covert sales talk; packaged in fancy looking reports.
Both normally result in meetings with discussions and maybe some commercially interesting improvement projects. With you as their consumer who pays for it all.
We can have, what we informally call, 'a quick look'.
To create a far more informative picture of the current overall level of control.
There is really no need for those magical statistics nor lengthy fancy reports,
just to provide you with the needed key information.
Just have a pragmatic chat to gain insight into noticed sore points (if any..), with possible ways to cure those.
With that information you can decide how you want to use your resources to get a desired outcome.
Our clients no longer have to waste their resources plus frustrations on the 'security' rat race.
To a typical 'security' selling organisation our approach may sound like desecration.
They choose to nurture deficiency for short term personal profit; => Degeneration
We prefer to improve structures for long term benefit of us all; =>> Evolution
