While the EU and organisations such as the International Standards Organisation (ISO) and NIST are working to develop standards to curb cyber security threats, almost every nation is developing its own set of security standards. Many of these have either existed previously (e.g. Bundesamt fÃ¼r Sicherheit in der Informationstechnik, the German Federal Office for Information Security), or are working to nationalise existing or developing standards.
While the NIST document is created for the US federal government, its relevance and use extends beyond geographies and represents good practice that nations and corporates should draw from, leveraging the guidelines to meet their own security goals.
However, I find myself pondering the question as to why federal bodies feel the need to define cyber security standards. Is it because industry is not secured appropriately? Or that security professionals aren't always doing their jobs right, their skills are not being utilised correctly and efficiently by organisations and corporates? Perhaps it is because the standards that currently exist are no longer suitable for the threat environment we now live in. I suspect it’s a combination of all these.
So let’s focus on the profession for the moment and its relationship with policy/standards bodies. It’s my opinion that information security professionals aren't always utilised to their full capacity in the development of solutions that supply critical national infrastructure, or those that are broadly aimed at the digital society. We have to be fair here and hold up our hands. We generally consider ourselves far too busy providing a service to our employers and keeping our jobs. It’s the lobbyists, vendors, solutions providers that offer their skills and expertise to policy makers in the definition of new standards.
So why then are we surprised when we find that emerging security standards with serious national and even international consequences are not meeting our needs, or not reflecting our current day to day work of developing, configuring, implementing, and/or managing control environments?
If we want to define where we are going, and have a say in the development of new standards, as a profession we need to engage. There are many ways to do so:
€¢ Contact your local standards authority. They should be delighted to have industry representation.
€¢ Set up and engage through a subcommittee of your local (ISC)2 chapter. (ISC)2 is a liaison body to ISO/IEC and is involved with standards organisations in many regions.
€¢ Participate in your capacity as a private security professional with standards bodies during ‘request for comment’ periods.
We will all be governed by emerging standards. We can accept these passively or shape them actively. The choice is ours!
Richard Nealon, (ISC)2 EMEA