There is a difference between knowing the path and walking the path, right? just because I have something, does not mean I know something, or I do something.
just because there are technologies, software or tools for a thing, let’s say GDPR compliance metrics, patch management, ITIL platforms, vulnerability scanning, application security testing…and so on, does not mean the job is done once you have the tool. (regardless of “solution” being considered and fulfilled by technologies or tools as a very bad idea)
am I actually fixing anything just because I have a fancy toolbox in garage? perhaps I am driving very good because my car has bunch of detection sensors in it?
GDPR compliance or a patching strategy, scanning of vulnerabilities or testing application for security flaws…none are achieved just because someone has a tool or platform (does not matter how big and fancy is the name) with related menus, options and settings.
if that sounds obvious or stupid to you then you are probably knowing the difference, but in reality, you will find most of the population of what we call “IT Professionals”, fooling themselves, or perhaps really believing in their fancy toolboxes as the final solution.
I was working with a colleague the other day and he was telling me that their firm is GDPR complaint because of all those titles and menus you can find in their compliance software. I met someone with decades of experience in IT and she was telling me that they are ITIL complaint because they have now purchased a software which has all the ITIL requirements and modules.
we won’t even get better if we have better tools. does an Excel being setup on my machine means 1) I know how to do statistics, 2) I am doing statistics? just because a security guy has OpenVAS installed and updated on one’s machine means 1) they know how to scan, 2) they know how vulnerability scanning work, 3) they are scanning for vulnerabilities, or 4) they analyze result of their vulnerability scanning properly?