Wednesday, November 27, 2013

A Means to a Measured Approach to Cybersecurity

Having posted innumerable times on the many benefits the energy and other critical infrastructure sectors would achieve if they would identify a few security metrics and start measuring them, it seems that a practical means to at least partially achieve this objective may be at hand.

Just came upon a new company that appears to be pursuing a good part of the SGSB playbook, though they appear to have found their way to these ideas by following their own path.

A few of the principles we seem to share include:

  • You must measure security if you're ever going to manage it well
  • Similarly, you must measure security if you're ever going to align security investments and policies with business or mission objectives
  • Compliance-based approaches provide at best a false sense of security
  • Significant attention by and involvement of Senior Management and Board is important
In a recent WSJ article, this company, BitSight, noted a correlation between its findings re: the observable technical security indicators it tracks and the companies that scored the best in its recent study. Top performers had: "a greater focus on cybersecurity by senior management." But of course.

And here's its critique of compliance approaches to security, published in Risk Management Monitor last week. Sounds as if they're channeling many of our thoughts about compliance regimes like the NERC CIPs: 
A company may be compliant with all the appropriate regulations and have excellent security policies but may be completely ineffective in the day-to-day implementation of these policies .... Also, no matter how complete a checklist or audit is, its results are only a point in time reflection and can’t measure the dynamic nature of the risks it is meant to assess ....
Please note the security measurement techniques developed by BitSight in their early days are neither comprehensive nor perfect. But they needn't be to be of great value to orgs (or their partners, suppliers, regulators, etc.) trying to figure out how they are doing and how to improve over time.  Recommend you/we keep an eye on them.

10 comments:

Unknown said...

Security for these semi-rural areas is a growing concern. Trespassing, theft and burglary are major concerns for rural property owners and residents as sometimes crooks view these rural isolated areas as easy marks. 메이저놀이터

Unknown said...

wow....amazing post.It was really helpful.Continue Blogging.Warehouse Audit | Fixed Assets Audit | Customer Reconciliation

Sherin infanta said...

I have to voice my passion for your kindness giving support to those
Thanks for one marvelous posting!.... Continuous Monitoring
Profit Recovery
Duplicate Payment

Industrial control Systems Cyber Security said...

Great informative blog... I found this blog content very helpful. Thanks for sharing details of industrial control systems cyber security.

Swethagauri said...

I ‘d mention that most of us visitors are endowed to exist in a fabulous place with very many wonderful individuals with very helpful things.external audit services in dubai

SIyad said...

Nice Blog, Thanks for sharing

Team auditing firms in uae and aroma diffuser

KaKa said...

Your blog is great. It’s very interesting
odzyskiwanie danych Warszawa

Elate Soft said...

great and approaching content for blogging purpose.
ERP Software Dubai

smtp service providers said...

This web site is very popular, educated and intended to benefit.

best accounting software dubai said...

Great and approaching content.
Cheque Printing Software UAE