A Bureaucracy Can Actually be a Vulnerability
How?
Because bureaucracies are inherently slow, cumbersome, and lack the necessary continuity to stay secure. They tend to have slips. They also tend to be driven by the personalities that rule them rather than by the processes that rule them. This is why a bureaucracy can have all of the best policies and procedures in the world but still fail in security. They can have all the working groups and committees and meetings about security but still be insecure. Why?
Because bureaucracies know how to make things look good on paper, and look for “documentation compliance” rather than true technical compliance. Sure organizations get tested for actual technical vulnerabilities. But it’s in the remediation of those vulnerabilities where the weaknesses lie, not in the skill of those testing.
What good is it if an organization undergoes a security vulnerability or penetration test and never fixes the issues or accepts too much risk? What controls are there to no longer accept risk or to curtail “risk creep” which is the acceptance of too much risk based on the acceptance of past risk? What controls ensure fixes are validated instead of pencil whipped?
Sacred Cows of Bureaucracies
A bureaucracy will never change and therefore its sacred cows will cause it to be vulnerable. Why? because those sacred cows are usually not messed with. They remain a critical entry point of threat, attack, exploitation and vulnerability.
Unless a bureaucracy changes its ways, it is inherently a vulnerability and the weaknesses it has will be exploited. If there is a known lax individual or a less vigilant department, that is surely the entry point for a threat to exploit. Just the sheer slowness and cumbersomeness of a bureaucracy will keep it vulnerable unless it really trims the fat, becomes lean and cuts out all unnecessary processes. Until this happens, any bureaucratic organization remains vulnerable.
Wisdom and Common Sense is only a click away!