this post was submitted on 05 Jan 2024
7 points (88.9% liked)
Technology
59390 readers
4322 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I just spent a bit digging into that company just now. You can figure out a good portion of their software stack from their IT employee profiles on LinkedIn, btw.
Given that their org is mainly composed of attorneys, it is probably a safe bet to say they are Governance, Risk and Compliance (GRC) top-heavy. This almost always results in security-by-spreadsheet and poor classification of risk. While I am sure their broad risks are well documented and tracked, it's highly unlikely that real issues get the time of day because those don't make for meetings senior managers can understand.
In this drive for pristine paperwork, they likely have compliance reports for all of their larger customers. This generally includes all applications used, how servers are secured and how often they are patched, access control lists, detailed network diagrams and much, much more. That documentation probably also has all application and database "interface" lists, what ports they are running on and how those service accounts are maintained. Best of all, they likely have lists of "security exceptions", or security issues that are in the process of getting fixed... Just to reiterate, this is not only for Orrik, but any of their customers they have done security reviews for.
Without a doubt, their IT and security staff is minimal. When everything is in the cloud, it's somebody else's problem, amirite?
It makes me chuckle a little to see GRC folk get taken down a few notches in organizations like these.
I remember when I realized that the lawyers had taken over cybersecurity. It was 2018. I was in a meeting, looked around, and realized that I was the only person in the room who codes or has ever coded, and also the only person without formal certifications in security. 5 years earlier, security teams were full of people from all walks of life, who often got into security from (let's call it) "practical" experience.