Often in the security field we hear the question asked, “Who’s watching the watchers?” It occurred to me recently that one might make a similar rhetorical quip about other aspects of our field – in particular, the question of “Who’s standardizing the standards?”
I wrote a piece last month, titled SANS Twenty Critical Controls as an Information Security Standard of Care. The article was inspired by several conversations I had been having with some lawyer types regarding how the legal system is starting to catch up with information security, and how the notion of a standard of care is becoming a major factor in evaluating an organization’s level of liability in a post-security event scenario.
There are dozens of standards that address issues of adequate information security, some of which are general and meant to be applied widely and some which are specific to a particular industry vertical. While compliance mandates have legal teeth of their own, to an extent it is still largely up in the air as to which of the standards the courts will turn to when determining if an organization was making good faith efforts to maintain a minimally acceptable security program.
In the article, I noted that the Twenty Critical Security Controls – also commonly known as the SANS 20 Critical Security Controls, the Center for Internet Security (CIS) 20 Critical Controls, and the Consensus Audit Guidelines (CAG) – may have emerged as a leading contender after the Cybersecurity Law Institute recently anointed it as being the “defacto yardstick by which corporate security programs can be measured.”
A friend who happens to be the CSO for a large Fortune 500 company shot me a somewhat terse but friendly series of emails inquiring as to why – between my article and the series my associate Adam Montville is doing on the 20 Critical Controls – we as a company were so enamored with the SANS 20.
“You have a voice in the industry. People are listening. You and Tripwire have a responsibility to do the right thing,” they advised. “We need to think and then act. Not just blindly trust because it’s something that we think that we know, but have never truly verified.”
While I would not go so far as to say we as a company are wholly invested in the the 20 CSC, we are in a unique position after our acquisition of nCircle to boldly assert that we are the leading network security provider with solutions to address the first four of the 20 CSC, a point which I relayed to my associate. After a series of impassioned exchanges, I asked if they would consent to a guest post or interview on the matter. As much as they wanted to, they could not due to extenuating circumstances, some of which I can not go into here.
“Unfortunately, cybersecurity is a very sensitive issue for my public affairs team and we’re at the crossroads to possible regulation in many sectors, including mine, so I can speak with you, but not officially and you can’t directly quote me,” they said.
They did however consent to my using some of the exchange if attributed anonymously. Aside from the fact that the 20 CSC are mainly being promoted by a for-profit organization with a stake in their adoption, my friend’s main gripe is that the 20 CSC are merely technical controls and not holistic enough to address the issues facing organizations where information security is concerned.
“For many years, we have all come to know and trust the SANS Top 20 as a point of reference for good technical controls to address the security problem. A Technology only approach won’t really help in the long run,” they said. “We all know that security is a balance of People, Process, and (then) Technology.”
While that is absolutely true, this sentiment is coming from a professional who administers a program at a much more mature stage than most organizations. As I mentioned in the previous article, this set of standards was developed by the NSA at the request of the Defense Department in a effort to remediate the most common network vulnerabilities that accounted for the greatest number of attacks, which makes the 20 CSC the best place for an organization to start.
They then pointed out that the 20 CSC were not meant to be an all-encompassing standard, which is quite true. “It was never meant to be a standalone body of work. OWASP Top 10 works with it. So do PROCESS-oriented security frameworks such as FISMA, COBIT, and ISO 27001,” my CSO friend explained.
“ISO 27001 is doable by most if they took the same time to implement it like they would the CAG, it’s much more holistic, and truly internationally adopted. The governments of Germany, Japan, etc. have adopted ISO,” they continued.
And they are right, ISO has a tremendous presence internationally. So that got me wondering why the ISO standards have not gained more ground here in the U.S., and given that they are more holistic in nature as my CSO pal pointed out, why it was the 20 CSC seemed to be gaining ground over ISO with the American legal community.
I was out to dinner in London with some associates during the week of the Infosecurity Europe conference last month when I brought the topic up to Dan Houser, a well known mover and shaker in the industry with a string of letters after his name as long as my arm, and who also happens to be a sitting member of the (ISC)2 Board of Directors.
I joked that 2013 had yet to be christened as “The Year of…” something, and suggested perhaps this is the year of the standard. Much to my surprise, Dan responded that I might be on to something – proving once again there is always a first time for anything.
Over several subsequent conversations, Dan and I tossed around the idea of doing a series of articles examining not only the various standards that have evolved over the last twenty years, but the entire process of standardization that the industry is going through, and will continue to go through for who knows how long.
Dan’s very apt observation was that it is akin to the process in other disciplines, and he pointed to the fact that the art of medicine is thousands of years old, but it was only one century ago that it actually became “standardized,” which plays directly into my original premise of defining an infosec “standard of care.”
We are not sure exactly where we will end up going with this series, and that is kind of the point. This is a young industry, and although the effort to set standards began almost on day one, there is still a lot of room for dialogue, consensus and disagreement – as illustrated by my to-remain-unnamed CSO friend.
We will be tapping many bright and knowledgeable folks for this series, and if at anytime you want to contribute to the conversation, feel free to send a tweet to me (@AnthonyMFreed) or Dan (@SecWonk) with the hashtag #SecStandard, and we will see where the conversation take us…
Image courtesy of ShutterStock