u/NegotiationFirst131

What passes an audit but fails in practice for you?

My coworkers and I have been using this nice slow time at work to dive in to the compliance side of the house. One of the things we talked about where controls that pass an audit that are actually useless for us in practice. 😂

For example, we have audit logs going to a SIEM but most of our application and database logs do not and the client, server, network logs that do go are so large that they are never reviewed. Sure, we have setup alerts but it seems pointless with the amount of logs being stored and we have found that some of the alerts being generated people ignore anyway 😬

So I’m curious what other people see… what’s a control that passes in your org but secretly fails in practice?

reddit.com
u/NegotiationFirst131 — 3 days ago
▲ 28 r/ciso

Compliance is not security

Heard a worker go on a rant about “compliance is not security”, “checking the box”, “security theater” rant the other day.

It got me thinking… if compliance isn’t security, then what is?

The green dashboards that turn out to be wrong? The pentests that mostly find the stuff you’d have caught yourself if you’d kept your environment patched, updated, and configured? The tools you bought and never confirmed still work?

Feels like half the things we hold up as “real security” only look impressive because the basic compliance work wasn’t done in the first place.

Curious where people actually land on these phrases.

And a real question: is there a difference between an annual compliance audit and continuously checking that your environment actually stays secure all year long? I feel like the second part is where security should actually live. 😅

reddit.com
u/NegotiationFirst131 — 4 days ago
▲ 3 r/CMMC

Continuous Monitoring Question

Continuous monitoring is about verifying control effectiveness continuously. Do you feel like that’s actually being done? or how do you typically see companies meeting it?

And for the assessors here: when a company really emphasizes this control, do you find their environment is genuinely in better shape or just better at showing evidence at assessment time? Curious whether the ones who take it seriously are actually more secure day to day, or mainly more prepared.

reddit.com
u/NegotiationFirst131 — 4 days ago