| In light of a recent thread about SOC 2 certification (https://news.ycombinator.com/item?id=32018066), I wanted to share my perspective as an auditor/consultant on the other side of the table and inform people just how grim it looks from the inside. Before I get dunked on, yes - there are probably smaller niche firms worth every penny.
Shortly after starting in this line of work, it became clear that the services we sell are disingenuous. Here are some examples of why: * My main argument: there is a HIGH likelihood that information security consulting is the first job out of college for the auditor leading you through the engagement. Beyond surface-level knowledge about multi-factor authentication being important and knowing that “Splunk is where the logs go,” your assessor is probably just nodding their head, asking canned questions from a spreadsheet, and not fully comprehending what you are telling them. * We are told to describe ourselves as information security experts. I am not an expert. Every time I have to describe myself as the expert, I die a little inside. If I am the expert in the room yet still a recent college graduate, there is a glaring problem here. * The middle manager of my department did not know the difference between a public and a private IP address when we reviewed DRL evidence together. * The person leading your engagement may have a slight idea about what is going on, but they probably are tied to five other engagements and are not genuinely motivated to find problems because they are already underwater. I can’t say that information security consulting is all bad. On several occasions, I have helped companies remove the clueless CEO from Domain Admins or explain why adding MFA to Cisco AnyConnect was a good idea for them. I should also mention that these types of positions are great for learning the inner workings of large companies that you might want to work at later on, how to passably write a report, and how to present information to executives. Maybe I am preaching to the choir here. Interested to hear others' perspectives. |
from Hacker News https://ift.tt/LzShuFE
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.