Standards: Voluntary, Mandatory, or a Waste of Time?

By Eric Noonan • January 31, 2013

Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately, it’s the wrong discussion.

As a knowledge-based economy, intellectual property is the lifeblood of many businesses in America today and ultimately protecting it, collectively, is a matter of national security. The government has an appropriate role, indeed a responsibility, to regulate how that is done and they have done a tremendous amount of good work in defining recommended controls with the National Institute of Standards and Technology Special Publication 800-53. So I write this as a believer that the government has an important role to play in defining and implementing cybersecurity standards given the national security implications.

Compliance to standards and regulations like PCI DSS, HIPAA and others, voluntary or not, should be outcomes of an effective security program and not separate objectives divorced from day to day operations. When viewed in a vacuum, compliance to standards can be bureaucratic, costly and not materially effective in reducing actual risk. Fortunately, there is an efficient and effective way to deal with compliance and that’s the discussion we should be having.

The work being done in security operations centers and IT delivery organizations to secure a company’s assets and information should be documented, measurable and process-driven. If your security program meets these criteria then the outcomes and effectiveness of your efforts can be easily measured against compliance to standards, often in an automated fashion. If your security program isn’t documented, can’t be consistently measured for effectiveness, and is not process-driven then compliance to standards is a paperwork exercise that adds little or no value. Security programs like this often struggle to demonstrate their relevance to the underlying business, as well, because the business isn’t sure what they should be getting for their security dollar.

If compliance to prescribed standards is a drain on your resources and you can’t see the value that could be a red flag that your overall security program isn’t meeting its objectives. Seize the opportunity to develop a strategy for your security organization, set success criteria, define metrics and articulate your value to the business. If you’re doing that, compliance will be easy.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO