The Ashley Madison's incident is still a source of very interesting news. The dating website for organised shady affairs (no judgement whatsoever) went to an Australian court and the hearing is public. This was the first time I saw a court do a risk assessment.
The report shows that Ashley Madison failed on its obligations to provide protection for the user data that, needless to explain, was highly personal.
It does not surprise me to known that they shared passwords on a Google drive or there was no multi-factor authentication when accessing their systems remotely such as from a public location. Overall, security at 80% is about good technical controls that do not need really a Cyber Security Office. They do need, however, at some point, guidance from a security professional.
The only thing I have to say is that I am sure in Canada they would find someone that, for some £500/mo, would be able to act as the interim CISO and stop them from having really bad practices.
This is basically my offer to many small companies or charities: let me spend 3~6 months in your company, do a nice gap assessment, align a report with some relevant framework and have the company implement and get started with Cybser Security. From then on, it's a matter of keeping it going with its own resources and some part-time steering. Yu get even a one-man SOC that will lookour for obvious signs of compromise and issue alerts on major vulnerabilities and mitigation actions. Hence the round figure of £500/month.
80% of security, in my opinion, is low hanging fruit, especially when
the company has so many technical resources easy to train and
discipline. Good policies and guidelines is half way there.
It is not enough to get ISO27k certified, but it is certainly enough to cover all the gaps the report details and much more.