data.day
vendor-management / cybersecurity / compliance / audit-strategy

The Myth of 'Secure Enough': If We Cannot Prove It, We Do Not Have It

Vendors sell security as a feeling. We demand security as a fact. Why 'military-grade encryption' means nothing without an audit log.

Hugo Ledger Hugo Ledger

The Audit That Failed

A regulatory body requests an audit of your client data handling. They ask a simple question: “Who accessed the medical records of Client X in the last six months?”

You contact your software vendor. You ask for the report.

The vendor replies: “Our system is 256-bit encrypted. It is very secure. But we do not track individual view events for specific records.”

You return to the regulator empty-handed. You explain that the system is “secure,” but you cannot prove who looked at the file. The regulator issues a fine for non-compliance.

You had security marketing. You did not have security evidence.

The Ambiguity: Trust Me, It Is Encrypted

The industry is saturated with the term “Military-Grade.” This is marketing rhetoric. It usually refers to encryption at rest. While necessary, encryption is merely a lock on the door. It does not tell you who used the key.

The enemy is the Black Box. When you store data in a system that does not emit logs, you are operating in a blind spot.

  1. Insider Threat: If an employee exports your entire client list, does the system alert you?
  2. Unintended Exposure: If a permission setting was wrong for three days, can you determine which files were exposed?
  3. Deniability: If a client claims a leak came from your firm, can you prove it did not?

Without evidence, “secure” is an opinion. In liability management, opinions are worthless.

The Record: Evidence as a Feature

We must shift our criteria for software selection. We do not ask, “Is it secure?” We ask, “Is it observable?”

A defensible system provides Demonstrable Controls. It allows you to export the truth.

Report Request: Access Log Target: Client_X_Records Range: 2025-01-01 to 2025-06-30

Output:

  • 2025-02-12: User J.Doe VIEWED Record (Duration: 45s)
  • 2025-03-15: User M.Smith EDITED Record (Field: Address)
  • 2025-04-01: SYSTEM BACKUP (Encrypted)

This output is not just data; it is a shield. It demonstrates that you maintain a Chain of Custody.

Therefore, if you cannot prove it, you do not have it. Do not accept a vendor’s assurance. Demand the log. If they cannot provide it, they are transferring their risk to you. That is a transaction you should refuse.

FAQs

Is encryption not enough?

Encryption protects data from theft. It does not protect data from misuse by an authorized user. You need logs to detect internal threats.

What should I ask a vendor?

Ask: 'Can I export a CSV of every user who viewed this specific file between these dates?' If the answer is no, walk away.

Why is 'provenance' important?

Provenance tells the story of the data. Without it, you have a file but no history. In court, history is validity.