John's Headshot

John's InfoSec Ramblings

The thoughts of a man working his way through a career in Information Security.

My new appreciation for compliance requirements

John Svazic

5 minute read

Re-Thinking Compliance Requirements

Welcome back!

Okay, so I’ll just ignore the fact that I haven’t posted in nearly 5 years, but this one is stuck in my mind right now. I could most up on Mastodon, but I think it deserves an easier-to-find home that is still somewhat out of the way. Bear with me, this first ramble is for my own justification to myself on why I’m resurrecting this old blog, even if it’s for just one post.

Compliance Frameworks

I’m sure most of you are familiar with compliance frameworks like PCI-DSS, SOC2, and ISO270001 and its myriad of offspring. Canada has it’s own, the CyberSecure Canada certification, which is lesser known but apparently aimed at SMEs in Canada. Lucky me, that fits my own company!

So I’m looking into getting certified, while at the same time also looking to get my company to join the CREST organization, specifically for penetration testing. I want the company to become a member so that I can get a discount when I go for my personal CREST certifications in 2025. I even have a whole training plan and everything for it!

So what are my original thoughts on certifications? Well, I’ve worked at companies and gone through SOC2 (types 1 and 2), ISO9001, PCI-DSS, and other compliance audits in the past and my personal opinion was the same as most others in this industry - a complete waste of time and not really proving security. Sure, policies need to be written and evidence provided, but honestly that doesn’t prove that everything is being followed by anyone. When I was doing ISO 9001 audits, my team were the only ones selected for the audits because we actually followed the entire process. Just ignore the 30 other teams skirting their way through the day. It sucked.

Then there are the auditors. Take SOC2 for example, I can have my auditor limit the scope of the audit to just what I know will pass with flying colours. There are very few people who are going to try to read the full report (as opposed to looking for exceptions/shortcomings in the report) to ensure the scope makes sense. Plus I’m paying an outside firm a lot of money to make me look good. Having dealt with some “questionable” firms in the past, my view has been soured on the entire thing.

Overall, I’m happy to see when an organization has these compliance certifications in place, but I’m still skeptical on their value overall when it comes to proving a security posture. I still want to see independent pentest reports and other evidence before I’m comfortable, but at least with an audit report I have something to point to if I need to cry contract breach! when something goes wrong with the vendor.

My Own Journey

So what’s changed? Well, first off is my perspective! This time I’m working on things for myself. EliteSec is small, with only me running the show. While I’m fine with keeping everything in my head, it doesn’t help when seeking a compliance certification. So now I’ve got to make sure to document everything! From policies to procedures, and a few standards thrown in there for good measure. Incident response plans, sample contracts, etc, are all requested. Some of it is for the CyberSecure Canada compliance certification, and the others for the CREST company application. There’s enough overlap between the two that I’m tackling both at the same time, but I suspect I’ll need the CyberSecure Canada one to support my CREST application. We’ll see.

Anywho, while I think some of this is a bit frivolous for just one person, I’ve come to respect the need to do it. Why? Growth. I’m now better prepared to onboard a new person, or have something to show to prospective buyers on why we’re a solid organization. Neither are in the plans at this time, however, but it’s nice to have these things in place. Overall, I’ve shifted my focus away from the questionable impression of security that these compliance certifications give, but looking at it from the perspective of documenting the processes (and essentially “worth” of the company) makes all this preparation a valuable exercise for me.

Note that I’m not talking out the importance of these compliance certifications in terms of business value, which is a different topic altogether. And yes, I do think there is value for these certifications from that perspective. Likewise I’m not saying that anyone with these certifications have poor security practices, but the reality is that these certifications are not enough. They do ensure proper documentation and processes are in place, but again that doesn’t mean that they are applied everywhere.

Look, we all have areas to improve, after all security is nothing if not fluid. Threats and techniques constantly change, and we’re always improving. Cool, let’s just make sure it’s a core focus and not something on the third tier. For me, changing my perspective has helped me appreciate the prep work for this type of work.

I’m not looking to change or sway anyone’s opinions, I’m just sharing my own. Take it as you will, and have a wonderful holiday season.

– John

comments powered by Disqus

Recent posts

See more

Categories

About

Hi. I'm John, and I'm an Information Security Generalist.