Cargo cult audit

It is probably best to start by explaining what a cargo cult is in general. In short: people in fairly primitive societies observed huge aircraft dropping food and ammunition for a warring army, and decided that to also receive such "gifts", they did not need to invent an airplane, build a delivery logistics system, or develop a network of factories, but only to dress like military personnel and build a runway and radio tower out of coconut palms and straw.

Cybersecurity also has its own cargo cult, and it's called "best practices".

My friend, after getting a job at a large company far from IT and cybersecurity, found that under the existing security policy, passwords had to be changed every 30 days, and the password had to be complex and not be reused. This approach is not up for debate; any security specialist will tell you that this is a top-priority measure, and there is no other way to go about it. We did this 5 years ago, 10 years ago, and probably even earlier. But the problem is that this does not help security at all. And even though this measure is not discussed and is literally "set in stone", NIST has been directly saying for several years now that if there have been no data breaches in a company, there is no need to change passwords so frequently. That's quite a twist. What's more, they write that if you force users to change passwords frequently, people start using the same passwords with minimal changes, and if you try to fight that too, workstations start getting covered with stickers with written-down passwords.

In that company, after some time they started fighting this phenomenon and even bought a corporate password manager. I can imagine how much effort the information security managers had to put in to justify the purchase. Then, again following best practices, they banned copying and pasting passwords. That is, they effectively bought a product and banned using it. There are plenty of such examples in our industry. A DLP system is in operation at the company, but employees can bring their own smartphones, flash drives are prohibited, but for some reason there is access to personal email and messengers. A separate item is mandatory regular information security training for all employees, which distracts from daily duties and usually causes nothing but irritation.

At one of my acquaintances' companies, the information security administrators suddenly disabled all ways to work with email except Outlook Anywhere, and immediately clients that used various pop3 and imap stopped working. Yes, this aligns with ideas about security, but it breaks business processes. In the same organization, responsible administrators would fly into a rage when they saw red crosses next to hundreds of servers during monthly scanning, and demanded that all existing patches be installed urgently. Explanations that this would break service operation and "actually we have compensating measures" made them fall into despondency. Stories that specific critical vulnerabilities can only be exploited if the stars align in a certain way convinced no one of anything. The scanning report was placed on the management's desk, and there were supposed to be no red crosses there at all.

This happens for exactly one reason — we all live within the framework of information security cargo cult, truly believing that there are some ritual actions that will inevitably lead to a state of complete nirvana security if you do them often enough and zealously. And although everyone knows that audits check for the presence of security measures, not their effectiveness, at the same time it is clear that the security specialists' KPIs have nothing to do with user experience.

Another colleague shared a great story about a company that rolled out a corporate browser with incognito mode disabled, plugin installation prohibited, and the password manager turned off. All of this is very secure and correct, fully aligns with best practices, but guess which portable browser the most tech-savvy users started using first, and then everyone else? Later, during a Zoom meeting, the department head complained that their endpoint visibility had dropped. No idea why that happened.

At another highly reputable organization, administrators were very actively fighting to ensure users never used their laptops with administrator privileges under any circumstances. That is an extremely sound idea that wasn’t even up for debate; the only issue was that all laptops were built from a single OS image that had the administrator password set. After six months of constant calls to support services asking to install or uninstall software, everyone knew the administrator password. Yes, technically users logged into the system with their user accounts, but there’s a catch.

In reality, many measures exist not because they work, but because after an incident, you can present them to a review commission. Over time, some cybersecurity specialists come to understand that the best security is not the maximum number of bans, but the minimum number of restrictions that actually help reduce risks. This is a completely heretical idea that is out of reach for specialists who are sitting at a console for the first time, faced with a hundred or so checkboxes and buttons that let you adjust the security level of a particular service. The payoff from tweaking settings is often just the moral "I did my job", while the real consequences are often unnoticeable, or even harmful.

What’s the alternative?

  • First, I propose continuing to follow best practices, but do so more frequently than once every 10 years. Indeed, information security (IS) is an extremely global field, and the work of our colleagues from other continents may be worth paying attention to regardless of our personal attitude toward the current situation in the world.

  • Second, the most difficult part is to find top specialists and integrators that specialize specifically in security. I know that it is 2026 outside and there are many different areas in IT, but clients continue to look for universal all-rounders. And it is not just about saving funds, the issue is the very setup itself.

  • Third is the most costly. In addition to top specialists, you need modern technical solutions. If the last time you bought new solutions was 5-7 years ago, you will be surprised at what modern IS software products are capable of today. Just look at hacker attack simulators and intrusion detection systems. This level of capability was simply impossible just a few years ago.

  • Fourth — collect feedback. For some reason, the HR department regularly collects feedback on who liked the latest corporate event and how, while IS and IT departments rarely inquire about how convenient it is to work with the latest service. And I wouldn’t vouch for which of these is more important. We need to finally admit that a user is not a vulnerability, but an adaptive system. And that any security measure that worsens people’s work triggers the evolution of workarounds. Live with that.

  • And finally, fifth — buckle up tight. Changes to the threat landscape and protection tools are happening so fast that most likely you will need a reliable partner to track trends, warn about dangers, and help when (and most often it is “when”, not “if”) hackers get to you.

Comments

    Also read