In one of the many groups I belong to, someone had asked how much do standards really help a company. My answer, as much as I wanted to be, wasn’t straight-forward. I uttered a, “It depends…” I went on to explain the same thing I will here, the nuances of my thoughts.
For a small company or a business that is growing these standards (NIST, ISO, SOX2, etc) help to build the framework which you need to grow to achieve. As when you start this process you have nothing, and this gives you an easily attainable objective, something that is time tested and usually lot of resources that help you achieve the goal. So in this case, standards and auditing are a real help.
On the other side of this discussion are companies that have been around a while and have these standards followed (or closely followed) and they get their regular audit and they pass and they’re happy. This is where working to an auditable standard, in this case, no longer is a value add. Yes it does help to make sure you maintain compliance or find maybe some systems you may have missed, but in the most part, it’s a check box.
This is where I say to companies, if you are just working to the standard, you’re already behind. See the standard is just that, a standard and in our personal lives (if you have money), you don’t settle for that anymore. All cars follow a standard, but I bet when you look into your organizations parking lot, executives don’t just have a base standard vehicle, they go with a vehicle that goes beyond a standard, a company that goes above and beyond for their comfort. Well that’s the same with IT and Security standards…that’s the entry model we should be getting into…and then building a better product, not just a standard one.
This is something that needs to start from the top down, look at your last audit and what controls can you “tweak to 11” look at other compliance standards what can you take from them to build a more robust defense. That’s what I want every person to think…if you are passing audits regularly, then it’s time for the next step figure out how you can do better, plan and achieve it. To a degree we do this already, if you are trying to implement zero trust, the most standards don’t just call that out.,,that’s something above and beyond.
Like most of my security advice, this is a stepping stone process, not every company needs to get to this level immediately, take your time and build just to a standard at first. Security is not an off and on switch, you can turn all these controls on and not cause chaos and user hatred. Security should be thought of as a sliding scale, and as long as you are moving up…then you are moving in the right direction, until you get a few passed audits under you belt…then set your next goal and target that.