If your customer data can be stolen because one IT person tried out the wrong software, that is not a 'we got unlucky' failure. That kind of failure says you don't care. You would never know that Vercel had this problem from their cyber marketing. I'm sure their SOC2 is spotless, their pen tests were glowing, and ISO 27k cert is probably written by the most respectable consultant you can imagine. But the laziness that caused this problem is not on any security framework except maybe CIS CSC (which almost nobody audits to). There isn't even a standard industry buzzword for being decent at this.
Salty On Security
Opinions about security, management strategy, and organizational culture.
Security is misunderstood. It’s not as complicated as it seems, and there’s a lot of common sense available if you want it. Further, the practices that make products and organizations excellent tend to also generate strong security.
Recent Posts
Security Marketing and Sales, Part 2: Baggage
Today, I expand on the challenges most security leaders face when explaining the value of security: usually people already don't like you. We discuss what you can do about it, focusing on how you can make your services and platforms support your message of helpfulness.
CIS 2.1 - the Mission
CIS 2.1 contains the core mission of CIS 2: have an accurate Software Inventory. The other CIS 2 controls are just supporting ways that help deliver that core mission.
CIS 2 Explained
An Inventory of IT Stuff is a helpful thing: it's a necessary starting point for lots of other technical security work. But you know what would be even more helpful? Knowing what each thing does. Zowie! That would be wild.