Not many companies expect to be hacked. Often it happens because their security controls don't cover all of the possible business vulnerabilities, or the budget is invested in the wrong areas.
Whether we are talking about penetration testing or auditing, a security engineer's job is to reveal and deal with the unexpected. We are often the bearers of bad news who point out uncomfortable truths. Many companies just want to have a security certificate to reassure their customers that their systems are safe and trustworthy. The question has to be - is it the right certificate? Is it relevant for the service that they are providing? An auditor should not be there just to rubber stamp the system and provide the certificate.
People expect to be able to trust their bank, the authorities, healthcare institutions on which they rely... Legally, at least in Germany, Jo(e) Bloggs has the right to ask about the existing security arrangements for a particular public service. But this doesn't reveal anything about the actual security implementation, the assumptions behind it and the level of risk that is accepted by the organisation running the service.
At the end of the day, as members of the public, we don't have the slightest chance of verifying whether this trust is misplaced or not. We are not involved when a public service commissions a software company to develop, and a data centre to host a new system. The service level agreements (SLAs) are negotiated in private between the service owner and software company/service provider. The security controls are decided based on current levels of technical knowledge and expertise. Vulnerabilities are designed into the infrastructure because of the symbiotic relationships between the service owners, providers and software companies, where none of them is held to account for data breaches.
The introduction of GDPR was intended to be a foot in this door, at least from the perspective of data protection, to empower the citizen and let in some light. It is indeed a step in the right direction, but people need to be engaged as clients, citizens or patients. Engagement would create a culture of transparency among service providers, and service engineers could play a key role in checking whether a service meets customer expectations.
At U'need'Security we are working to make services more transparent which means more trustworthy, more sustainable.