Your security is only as good as you let your auditor review it. Your audit is only as good as your auditor has skill and knowledge enough to find the holes or verify the lack of them.
I wonder what the rate of subterfuge is for keeping your mushrooms auditors in the dark as much as possible.
So this gets back to one of the qualities I find most important in a tech worker: integrity and honesty. Not something business is always fond of adhering to? Business is long practiced in hiding as much as they can…
Does this mean that cyber security is destined to never be very good? While this is a decent gamble 20 years ago when one person couldn’t steal more than a few reams of paper, today’s digital world lends efficiency such that an entire company’s existence can be pillaged via a portable music player in minutes by one person. Can one company be at the forefront of security and still maintain a cost/profit/edge over the rest of their market?
Maybe it will just be painful until culture/society slowly catch up to these changing paradigms.
For as much as I hear and even talk about aligning business and security more and more, it’s still like pushing two earth magnet same poles together, no matter how well-meaning everyone is.
Operating systems were designed for sharing information, not to be secure. Business rules are based on relative trust relationships, while security rules mitigate risk while being translated into object centric labels.
Face it, the status quo paradigm of the IT security industry is dysfunctional.