One of the exploitable mechanics of this scheme is the strategic division of labor between organizations who implement the controls, create the security documentation, and provide the sign-off. Generally, each side distributes their risk by involving others who they can blame when things go wrong. It is intentionally designed so that everyone involved, including the "cyber security experts", each have only a narrow view and must trust the others to do the right thing. Risk management is very much a broken game designed to please suits whose priorities are not real cyber security.
gearnode•1h ago
The division of labor between implementation, documentation, and sign-off isn't the bug. It's the design. Independence between those layers is how you get credible assurance (in theory).
The bug is when nobody actually verifies. The audit firm holds the mandate to look at the full picture. When they sign without doing that, independence becomes a gap. And right now, the bodies supervising those firms aren't enforcing anything when that happens.
evanjrowley•1h ago
gearnode•1h ago
The bug is when nobody actually verifies. The audit firm holds the mandate to look at the full picture. When they sign without doing that, independence becomes a gap. And right now, the bodies supervising those firms aren't enforcing anything when that happens.