As we enter the new year, many of us will start the annual third-party attestations. It’s important to remember that holding a third-party attestation provides a baseline assurance on the effective implementation of management, operational, and technical controls. Compliance demonstrated by a clean SOC 2 report, ISO 27001 certification, HITRUST certification, etc. does not equate to ironclad security. It only assures that a third-party has audited the system and reviewed evidences against a set of controls.
Following are a few security-related projects that should be on the radar of a security team that are outside the scope of audit:
- Threat modeling
- SCA/SAST/DAST
- Source code review
- Assessing vendors after they had an incident or breach
- BCP call-tree exercise
- Social media account security
- Proactive brand protection from cybersquatting
- AI Governance
- AI Guardrails
- AI Observability
- PRD reviews, Tech spec reviews
- Internal pentest of major feature releases
- Vulnerability Disclosure / Bug Bounty Program
- Secure code training (only ISO 27001:2022 & HITRUST require it)
- Quality/effectiveness of security awareness training
- Data loss/leakage protection (DLP)
- Security of browser extensions, Slack bots, etc.
- Policy exception approval and review
- Integration with third-party systems
- Privacy on customer reporting (k-anonymity, l-diversity, t-closeness)
- Risk assessment with Delphi technique
- M&A due diligence
It’s easy to come up with a list of another 20, but the goal is to emphasize that while obtaining a third-party attestation is a great first step, the job of a security team is just getting started.
I spent the majority of my career in GRC and don’t want to discount the effort the above compliance standards would require, however, the goal of this post is to encourage us all to look beyond the singular focus of obtaining a certification and dive into other areas of security, compliance, and privacy.