Speakers
Synopsis
It is no secret that holding a premier security certification can sometimes instil a false sense of invulnerability.
Between 2018 and 2023, Australian organisations faced a significant uptick in data breaches despite boasting leading cyber security certifications like ISO 27001 and PCI DSS. This talk will delve into the paradox of certified security and actual security maturity, exploring high-profile case studies, the security certificates maintained by these organisations, and the underlying causes of both the breaches and the culture that produces blind spots in otherwise vigilant environments.
As per data provided by the ACSC, OAIC and derived from the NDBS, the number of reported breaches has risen sharply over the last 5 years, despite a significant portion involving organisations holding leading security certifications. The cause of these breaches often lies beyond the scope of what certifications cover, or outside a scope boundary that is designed to pass audits, not provide meaningful security coverage.
While certifications like ISO 27001 and PCI DSS ensure a baseline level of security, they provide no protection against out-of-sight security vulnerabilities, such as human error, supply chain vulnerabilities, or cultures that prioritise go-live dates over secure procurement, software development and project management.
