Wednesday, November 27, 2013

A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

  • You must measure security if you're ever going to manage it well
  • Similarly, you must measure security if you're ever going to align security investments and policies with business or mission objectives
  • Compliance-based approaches provide at best a false sense of security
  • Significant attention by and involvement of Senior Management and Board is important
In a recent WSJ article, this company, BitSight, noted a correlation between its findings re: the observable technical security indicators it tracks and the companies that scored the best in its recent study. Top performers had: "a greater focus on cybersecurity by senior management." But of course.

And here's its critique of compliance approaches to security, published in Risk Management Monitor last week. Sounds as if they're channeling many of our thoughts about compliance regimes like the NERC CIPs: 
A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies .... Also, no matter how complete a checklist or audit is, its results are only a point in time reflection and can’t measure the dynamic nature of the risks it is meant to assess ....
Please note the security measurement techniques developed by BitSight in their early days are neither comprehensive nor perfect. But they needn't be to be of great value to orgs (or their partners, suppliers, regulators, etc.) trying to figure out how they are doing and how to improve over time.  Recommend you/we keep an eye on them.

No comments: