Standards: Voluntary, Mandatory, or a Waste of Time?

By Eric Noonan • January 31, 2013

Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately, it’s the wrong discussion.

As a knowledge-based economy, intellectual property is the lifeblood of many businesses in America today and ultimately protecting it, collectively, is a matter of national security. The government has an appropriate role, indeed a responsibility, to regulate how that is done and they have done a tremendous amount of good work in defining recommended controls with the National Institute of Standards and Technology Special Publication 800-53. So I write this as a believer that the government has an important role to play in defining and implementing cybersecurity standards given the national security implications.

Compliance to standards and regulations like PCI DSS, HIPAA and others, voluntary or not, should be outcomes of an effective security program and not separate objectives divorced from day to day operations. When viewed in a vacuum, compliance to standards can be bureaucratic, costly and not materially effective in reducing actual risk. Fortunately, there is an efficient and effective way to deal with compliance and that’s the discussion we should be having.

The work being done in security operations centers and IT delivery organizations to secure a company’s assets and information should be documented, measurable and process-driven. If your security program meets these criteria then the outcomes and effectiveness of your efforts can be easily measured against compliance to standards, often in an automated fashion. If your security program isn’t documented, can’t be consistently measured for effectiveness, and is not process-driven then compliance to standards is a paperwork exercise that adds little or no value. Security programs like this often struggle to demonstrate their relevance to the underlying business, as well, because the business isn’t sure what they should be getting for their security dollar.

If compliance to prescribed standards is a drain on your resources and you can’t see the value that could be a red flag that your overall security program isn’t meeting its objectives. Seize the opportunity to develop a strategy for your security organization, set success criteria, define metrics and articulate your value to the business. If you’re doing that, compliance will be easy.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.