Hmmmm... I wonder if this would include SCADA and ICS configuration environments?
Corporations wouldn't sacrifice their existence over meager profit-margins would they? Nahhhhh...
Excerpted from a CFOWorld article:
"'They aren't leaving their door wide open. But they're not counting on somebody having glass cutters either. Now you need to have wire mesh on your windows, because the people focused on hacking have more and more tools,' she said."
"Combine that with the fact that data 'doesn't stay put,' means that the need for more sophisticated and layered security ought to be obvious, Archambeau said. 'Data is moving all over the place on many devices,' she said. 'So securing it is a lot harder.'"
Or better yet, how about this scenario:
"OK... we've recently had our CSAT audit, and have found that all of our critical assets and systems are in adherence to the regulatory/compliance requirements. So... we're secure. We don't need to do anything more. We're secure."
What I am trying to elaborate on, and think that I may have conveyed the wrong message, is that some organizations which have executed their cyber security assessment tool (CSAT), tend to feel secured once they have completed their assessments, and may or may not feel that they need to initiate (or re-initiate) it again (for whatever reason), and seem to think that once a security assessment has been performed, they are done.
The reality is, and we're finding this increasingly more and more each year, industries that are regulated or that have to adhere to a governance/compliance feel that if they simply follow the compliance, that they are secured.
This is a misnomer, as adherence to a regulation, governance or compliance is a good start, but does not necessarily mean that an organization is "secure". It simply means that that organization is meeting the minimum requirements to be in compliance of a security model.
Can you tell the difference? Being "secure" means that your organization is constantly investigating issues, the networks and systems of your organization, and doing what is necessary to ensure that the "bad guys" stay out. You, as an organization, are working at this constantly.
A prime example of this is "compliance vs. security" argument is the ongoing issues of organizations that are "NERC CIP compliant".
The term "checklisted security" comes to mind to describe that adherence to a regulation, governance, or compliance, and isn't really implementing "security" (per se), but simply adhering to... a regulation... a governance... or a compliance.
Cross-posted from SCADASEC