Fake Audit Certificates | We don't know what risk is!
#163 - How to get your data centre TIA-942 compliant the wrong way | Defining risk is the key to better risk assessments
Tech Company CEO set up a fake certification company to show TIA 942 compliance
Everyone tries to find ‘supportive’ auditors, but setting up a fake company to show compliance is taking things to the next level
“If you are not certified on this security / privacy / availability standard, you will not get our business.” is how most service providers enter into the world of compliance.
The CISO and the Risk & Compliance teams start getting frantic calls from sales with unreal expectations.
“We have to get certified in this quarter if we have to get this business!”
Then, the hunt for compliance begins. Rather than seeking to setup the processes and systems required to be compliance in letter and spirit, the focus is on generating evidence to show compliance to auditors. There is a hunt for ‘friendly’ auditors who will agree to look the other way for some controls or underplay certain key observations.
Sadly, these are normal practices that barely lift an eyebrow in our world.
What happened here, was a completely different story. To get business from the SEC, this CEO setup a fake company that provided certifications. A compliance certificate was generated and $10.7 million deal was signed. Until the truth caught up, that is.
Read the article as well as the PDF of the judgement to know the details. A quick search of the accused’s name on LinkedIn gives a hint of the company that might be at the centre of this.
Take Action:
Cybersecurity Professionals:
You face these moral career dilemmas everyday. Any decision you take may blow up. Don’t take short term decisions that will come back and bite you.
Choose your certification bodies and consultants wisely. The cheapest certificates and the cheapest consultants are cheap for a reason. You don’t want to know the reason
If you are a cybersecurity consultant or auditor, do not succumb to pressure to show compliance where you know none exists
Most importantly: Spend time understanding risks and setting up the right controls before thinking of showing compliance
Cyber Insurance Underwriters:
Don’t blindly rely on your insured having a certificate of compliance. If it is a large risk that you are underwriting, verify if the controls you want exist.
The Risk Definition Challenge
Before doing a risk assessment, we must agree on what we mean by risk…
I put up a post on LinkedIn about the ‘risk definition crisis’. It was a simple excel of the different definitions of risk as per different information security and cybersecurity standards.
I had a lot of interesting feedback. Here is the excel in pdf, if you want to download and go through it.
People seem to disagree on the fact that a clear definition of risk is even required!
I’ve had feedback about the definitions just being theoretical and not making a difference in the risk assessment process to the fact that various definitions of risk are a good thing, because risk is defined only in context.
I tend to disagree on both these counts. A clear definition is essential to know that everyone is talking about the same thing.
One gentleman gave me the example of snow. There would be a hundred types of snow in the arctic, while there would be just a couple in less snowy places. That does not mean we don’t shovel snow. Interestingly, we need to define what snow is to be able to differentiate between a snowstorm and a hailstorm. Read the comments section of the post if you want to know the nuances.
Take Action:
How do you define a risk? Are you clear of what a risk means? Clarify and agree on this definition within your organisation so that your assessments are consistent.
I will be putting up a post on how I feel a risk should be defined, should you want to wait for it. 😊
This is a sad reality. I work with a lot of startups to get them ready for SOC2, ISO27001 compliance and I’m lost for words with the quality of auditors. They can’t read basic controls and most audits are superficial.