Standards: Voluntary, Mandatory, or a Waste of Time?

By Eric Noonan • January 31, 2013

Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately, it’s the wrong discussion.

As a knowledge-based economy, intellectual property is the lifeblood of many businesses in America today and ultimately protecting it, collectively, is a matter of national security. The government has an appropriate role, indeed a responsibility, to regulate how that is done and they have done a tremendous amount of good work in defining recommended controls with the National Institute of Standards and Technology Special Publication 800-53. So I write this as a believer that the government has an important role to play in defining and implementing cybersecurity standards given the national security implications.

Compliance to standards and regulations like PCI DSS, HIPAA and others, voluntary or not, should be outcomes of an effective security program and not separate objectives divorced from day to day operations. When viewed in a vacuum, compliance to standards can be bureaucratic, costly and not materially effective in reducing actual risk. Fortunately, there is an efficient and effective way to deal with compliance and that’s the discussion we should be having.

The work being done in security operations centers and IT delivery organizations to secure a company’s assets and information should be documented, measurable and process-driven. If your security program meets these criteria then the outcomes and effectiveness of your efforts can be easily measured against compliance to standards, often in an automated fashion. If your security program isn’t documented, can’t be consistently measured for effectiveness, and is not process-driven then compliance to standards is a paperwork exercise that adds little or no value. Security programs like this often struggle to demonstrate their relevance to the underlying business, as well, because the business isn’t sure what they should be getting for their security dollar.

If compliance to prescribed standards is a drain on your resources and you can’t see the value that could be a red flag that your overall security program isn’t meeting its objectives. Seize the opportunity to develop a strategy for your security organization, set success criteria, define metrics and articulate your value to the business. If you’re doing that, compliance will be easy.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO