Let’s say you need something that we don't mention. You’ve read the guide for choosing tech solutions and narrowed it down to three choices. Security is important because you want to store nuclear launch codes in it and bad people are after you. One of the choices proudly advertises, “Guaranteed Secure by McAfee!” What exactly does that mean?
It means nothing.
Certifications exist because the technical parts of security are complicated. In theory, they are a low bar: if you are certified, it means that someone checked what you do, and then said you’re not terrible. But for a lot of reasons, most of them are just marketing. Some mean a little, those are listed at the end. None of them come close to guaranteeing that someone’s doing a good job. Here’s a quick summary of some of the most common certifications.
Completely worthless. It doesn’t mean anything about their security or even if they’re legitimate. Any goof can grab one of these pictures from another webpage and put it on their own. Here are some examples:
Completely worthless. People who work with credit cards need to have this, but anyone can self-certify, and their answers only get checked if something terrible happens and VISA sends a cleanup crew to figure out who should pay for all the fraud.
SOC1, SOC2, SOC3
Worth a little bit. They are the security version of “Nobody ever got fired for buying IBM.” It doesn’t tell you how good they are at the important things, and has lots of weasel-words.
Big companies like them because if something goes wrong, they can point and say, “Not our fault: See the SOC2? We did everything we’re supposed to!” when they get sued.
Worth a little bit. It mostly means that someone spent a lot of time writing policies about security. Like a SOC2, it doesn’t check for the important things.
Not a certification, but means a little bit. A SIG is a huge list of technical questions to which a company answers yes or no. If they have one, that sometimes means they thought about it. It may even mean that they get pressure from customers to actually do the things on the list. But sometimes all it means is that a sales rep spent 40 minutes clicking “yes” to every question.
Worth a fair bit. It means that they persuaded the US federal government to trust them to store government secrets. Think what you want about the federal government, but they put you through the wringer. If the federal government cared about important things, FEDRAMP would mean a lot more. There's great news; they are starting to: cybersecurity is a big part of the Biden agenda, and they laid out the approach and priorities in a June Executive Order. Unlike a lot of politics or industry frameworks, this Executive Order got almost everything right, and really scared some industry stalwarts. US regulatory agencies like NIST are now updating the guidance specifics for federal agencies and their vendors, so we should see meaningful improvements to the credibility of FEDRAMP by mid-2022.
Not a certification, but still worth a fair bit. If a business advertises a BAA, it usually means that they know the federal laws for securing health info. Screwing those up gets you huge fines, so if you see one, it means they’ve thought about what they’re doing. The nice thing about a BAA is that the HIPAA requirements are decently sensible.