158
this post was submitted on 20 Jul 2024
158 points (97.6% liked)
Technology
1180 readers
139 users here now
Which posts fit here?
Anything that is at least tangentially connected to the technology, social media platforms, informational technologies and tech policy.
Rules
1. English only
Title and associated content has to be in English.
2. Use original link
Post URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communication
All communication has to be respectful of differing opinions, viewpoints, and experiences.
4. Inclusivity
Everyone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacks
Any kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangents
Stay on topic. Keep it relevant.
7. Instance rules may apply
If something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.
Companion communities
[email protected]
[email protected]
Icon attribution | Banner attribution
founded 10 months ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It gets worse. Tech companies are service providers that typically work with a chain of other service providers. About 40%-50% of the controls for the last SOC2 audit I ran was carved out and deferred to our service providers. (Also, there are limited applicable frameworks: SOC2, PCI, ISO-270001, HIPAA and HITRUST are common for me, but usually related to cloud services.)
Yeah, I tend to break the brains of auditors that have never dealt with startups and have been used to Fortune 500 mega-companies. What's funnier, is that I am just a lowly security engineer. A very experienced security engineer, but a lowly one nonetheless.
Auditor: So what is your documented process for this ?
Me: Uhh, we don't have one?
Auditor: What about when X or Y catastrophic issue happens?
Me: Anyone just pushes this button and activates that widget.
Auditor: Ok. Uh. Is that process documented?
Me: Nope. We probably do it about 2-3 times a week anyway.
Yeah we do a lot around frameworks at my current place, and previously we worked directly with customers with iso and acsc essential 8 frameworks. For us, non-compliance = revenue opportunity. That means we are financially rewarded for aligning them and encouraged to do so. On that same note I wrote up a checklist for "sysadmin best practices" aimed for driving reviews and checks and Remedial opportunities for small businesses, useful in that space. I got such an overwhelming amount of response in the msp reddit from people asking in DMs about it (not hundreds, just dozens, too many for me though). It's quiet here in lemmy. Happy to share my updated version of course, just I think if you're dealing in your sector it'll look like childs play lol. But I kind of want to encourage a bit of community within professionals here. I just don't want do spend time on it..
I feel you about the lowly experienced officer bit though. An account manager or business development manager, or even CTO won't listen to me. I have a business degree, most of them don't. I try to apply critical decision making in my solutions and risk advisory. But the words fall on deaf ears. I take a small but very guilty pleasure watching the very thing I warn against, happening both to clients and my employers. Especially when the prevention was trivial but all it needed was any amount of attention.
After nearly 20 years of IT and about 15 in MSP I'm so tired. I'm very much resonating with that "lowly engineer" comment.