Making an organisation cyber-secure is difficult. As a supplier, demonstrating to an external customer that you are cyber-secure is even more difficult. Conversely, as a customer how can you tell which organisations take it seriously?
One approach is to look at adherence or compliance to a security standard. But which one should you look for? IASME, PAS555, ISO27001, ISF Standard for Good Practice, PCI-DSS, adherence to the Ten Steps, or controls to manage the SANS Top 20…
In fact a Research Report by PWC identified over 1,000 global security standards you could choose from.
All these standards exist for a good reason – standards matter – but having too many makes it difficult for the non-expert to distinguish good for bad. Even recognising a standard like ISO27001 is not sufficient, as it can be implemented as a tool to improve a business security posture, or as a tick box compliance exercise that fails to make any real difference.
The UK Department of Business Innovation and Skills (BIS) faced exactly this challenge when looking for a standard to promote in the UK as a minimum an organisation should adopt. The motive is to provide a baseline of all UK organisations to aim for, thereby advancing the Cyber Strategy of making the UK a safe place to do Cyber Business.
Following a wide industry consultation, BIS have announced the outcome of their call for evidence on a preferred organisational standard for cyber security.
In my simplistic view, BIS is essentially going to define a profile of ISO 27001 (in an ambitious time frame). The profile will say “These are the really important bits, you really must do as a minimum” and “If unsure how to do them, here is a pattern of what good practice looks like”. Organisations will be able to adopt this as a model to improve their security and then, if appropriate to their business, seek validation from an external party that the controls are suitably in place (it is not yet obvious how this certification will work in practice).
As I understand the intent, adherence to this profile will start to be written into government procurements.
At NEXOR, as an organisation with ISO 27001 across the business, the proposed BIS approach is simple for us; we already have a suitable framework in place and we look forward to seeing how close the view of good practice matches our existing controls. This is why we agreed to be a pilot site for the new BIS standard.
Some cynics might suggest all this has done is create yet another standard. I don’t subscribe to that view – in the 1990’s when implementing the international standards for email and directory systems (X.400 and X.500), we also had profiles of the standard, called Implementers Agreements. These worked well, clarifying and simplifying the standard for suppliers that could not invest in a full solution. In practice I suggest it is likely there will become a set of profiles over time to reflect different business scenarios.
There will be some concern among small organisations about the potential costs. At the launch event David Willetts (Minister of Universities and Science) was very careful to point out how this should not involve a large cost to obtain the standard and take steps to implement the standard. I will reserve judgement on this until the details of the profile emerge next year. In my experience, the main cost is internal to the business in making sure you do the basics like patching, keeping AV up to date, and removing admin privileges by default as well as staff awareness training etc. Surely most trustworthy businesses would want to do this anyway – otherwise they risk a Crypto Locker infection which is far too serious a risk for any business to ignore. Is this simply a cost of doing business in the cyber world, surely it cannot be an option for a credible business!
Will the approach succeed? In my view it has every chance, but the critical success factor is adherence being mandated in government contracts. This mandate is essential to drive adoption toward a critical mass.
What is your view? Will your business look to adopt the standard?
Once Upon a Camayoc 
I can remember the rumours when ISO9000 first appeared in the 1990’s that businesses had gone bust trying to implement it. There were also complaints that it was a trade barrier designed to prevent US businesses winning contracts in the UK.
Every excuse to not do it – rather than any reason to be a better business.
Of course the reality is that quality is non-trivial to attain; and it needs discipline and buy-in throughout a business. Just look at McLaren’s commitment to quality and their impact as a consequence in F1.
What BIS are doing feels very much like a cyber-security take on the software engineering good practise bench-mark, TickITplus. This provides a qualitative element to ISO9001 compliance, and is already really very useful to informed customers.
Unfortunately, not every customer is well informed, and some will continue to try and buy technology like they buy commodities – cheap. The consequences of cutting corners in our industry are not as apparent as they are in other sectors – however they can be just as devastating.
In a recent conversation with someone from GCHQ I was bemoaning the regular demand from many of our prime contractors for a “quick hack” rather than an engineered solution. His retort was “Well that’s exactly what they’ll get …” The tech market still has a lot to learn about quality.
I welcome a cyber-security bench-mark. It will help us in our alliances, and it will also give us differentiation in the market.
I regularly come across software development houses (one or two in the security domain) who claim ISO9000 compliance – but what this often seems to amount to is a complaints system. Some avoid seeking certification from the main accreditation agencies and go to an alternative source that know little about software engineering – the last client was probably a jobbing plumber or electrician.
In some ways these “characters” are worse than those that don’t bother. At least their labelling (or lack of) is clear indicator of their status.
This new BIS standard should bring a qualitative bench-mark to cyber-security in the supply chain that should be quickly appreciated by the market. That can only be a good thing.
LikeLike