Wednesday, November 27, 2013

A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

  • You must measure security if you're ever going to manage it well
  • Similarly, you must measure security if you're ever going to align security investments and policies with business or mission objectives
  • Compliance-based approaches provide at best a false sense of security
  • Significant attention by and involvement of Senior Management and Board is important
In a recent WSJ article, this company, BitSight, noted a correlation between its findings re: the observable technical security indicators it tracks and the companies that scored the best in its recent study. Top performers had: "a greater focus on cybersecurity by senior management." But of course.

And here's its critique of compliance approaches to security, published in Risk Management Monitor last week. Sounds as if they're channeling many of our thoughts about compliance regimes like the NERC CIPs: 
A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies .... Also, no matter how complete a checklist or audit is, its results are only a point in time reflection and can’t measure the dynamic nature of the risks it is meant to assess ....
Please note the security measurement techniques developed by BitSight in their early days are neither comprehensive nor perfect. But they needn't be to be of great value to orgs (or their partners, suppliers, regulators, etc.) trying to figure out how they are doing and how to improve over time.  Recommend you/we keep an eye on them.


Unknown said...

Security for these semi-rural areas is a growing concern. Trespassing, theft and burglary are major concerns for rural property owners and residents as sometimes crooks view these rural isolated areas as easy marks. 메이저놀이터

evergreensumi said...

It has been just unfathomably liberal with you to give straightforwardly what precisely numerous people would've promoted for an eBook to wind up making some money for their end, basically given that you could have attempted it in the occasion you needed.offshore safety course in chennai

Swethagauri said...

I simply wanted to write down a quick word to say thanks to you for those wonderful tips and hints you are showing on this site.
nebosh course in chennai

Unknown said...

wow....amazing post.It was really helpful.Continue Blogging.Warehouse Audit | Fixed Assets Audit | Customer Reconciliation

Sherin infanta said...

I have to voice my passion for your kindness giving support to those
Thanks for one marvelous posting!.... Continuous Monitoring
Profit Recovery
Duplicate Payment

Industrial control Systems Cyber Security said...

Great informative blog... I found this blog content very helpful. Thanks for sharing details of industrial control systems cyber security.

Swethagauri said...

I ‘d mention that most of us visitors are endowed to exist in a fabulous place with very many wonderful individuals with very helpful things.external audit services in dubai