"Yes, CxOs could listen more. Absolutely. Yes they could take InfoSec seriously"
A lot of them do, but the insurance companies hamstring you into deploying dumb shit and ticking boxes because your C suite is more inclined to listen to the insurance companies than actual cybersecurity experts...which a lot of the time is counter productive and leads to more vulnerabilities due to users finding it necessary to work around certain measures.
I had a battle with a "cybersecurity insurance" company a couple of years back that was trying to force me to deploy stuff that I knew was stupid and hadn't been thought through. When I repeatedly demanded that they bring their cybersecurity expert into meetings with them to allow me to discuss things, they eventually caved in and admitted they didn't have one...at which point, I threw down my various industry recognised cybersecurity certs (CySA+, CISSP etc) on the table and they reluctantly signed off on my implementation...they don't even know what a CVE is...one of the recommendations they put to me involved a third party product, which they recommend a specific version of, that comes with a massive fucking 8.0 CVE.
The whole cyber insurance sector is fucked up and probably forces more bad practice than it prevents...and it definitely can't establish whether or not your setup is as good as it can be, because they don't have the experts to verify / understand things.
There was another time I was parachuted into a ransomware situation to clean things up and get things going again, I was recommended by a mutual third party (and I did the work as a favour to this third party, essentially, they pay me for ongoing services, but loaned me out for a few days essentially), because the business had been down for a week and no progress had been made and this business was quite a large customer of the third party...I got there and the team "dealing" with it was sent in by an insurance company...they moaned about how hard it was to get rid of, because by the time they'd cleaned up one machine, it popped up on another. They hadn't even disconnected any network cables. Fucking useless...I had it cleaned up and sparkling within 2 days...they had solid backups, so it was pretty straight forward.
The frustrating part of all of this is that it's not even a skills shortage problem, it's a hiring problem...none of these organisations know how to hire cybersecurity people and in the rare cases they do, they don't know how to keep hold of them.
There are plenty of skilled and experienced cybersecurity folks out there, but they come from a time where cybersecurity certifications didn't exist and most of them aren't inclined to go and get a cybersecurity cert because of the stupid requirements to achieve the full cert...like the CISSP for example, having to prove your experience (which is fucking difficult in tech because NDAs are very common) and/or knowing someone that already has the cert to vouch for you (which very few existing CISSPs will do). It's dumb as fuck.
Another problem is that a lot of cybersecurity certs lapsed over the pandemic, because some of them require CPE in order for you to keep them "active"...basically, you have to attend events, read stuff, publish stuff etc etc in order to get CPE points and you need a certain number of CPE points for your cert to stay valid. Good idea on paper, ridiculous in practice because the busier you are, the harder it is to earn CPE points...it's essentially a system that rewards you for shirking work.
I passed both the CISSP and CySA+ (002 beta exam) in late 2019...by the time we were out of lockdowns etc, both had lapsed because it was impossible to accrue the necessary CPE...so I had to resit them...I suspect a lot of people probably didn't bother...so there are likely quite a few folks out there that are former CySA+ or CISSP that just won't bother applying for Cybersecurity roles now...that is skill and experience being left on the table because of stupid certification requirements.
Biting the hand that feeds IT
