Cybersecurity is pretty old in Internet years, but relatively speaking, it’s still a child. We can draw some parallels between the cybersecurity industry and the financial industry, starting with the present and working our way backward. In the financial industry, there is something known as Generally Accepted Accounting Principles (GAAP) – you’ve probably heard of this. The cybersecurity industry – as a whole – has no such thing. This is the first in a multipart series on automating cybersecurity, and what better place to start than with issues of vocabulary.
I’m not an accountant, so I’m not trained in financial areas and need to rely on external sources of information for the history of GAAP. According to Wikipedia (here) auditors played the lead role in developing GAAP, which has its genesis in the Great Depression. In 1929, the American Institute of Certified Public Accountants created the Committee on Accounting Procedures, which was replaced by the Accounting Principles Board in 1951. The more familiar Financial Accounting Standards Board (FASB) replaced the Accounting Principles Board in 1973 under the supervision of the Financial Accounting Foundation. Today, GAAP is influenced by the FASB, the Governmental Accounting Standards Board (GASB), and the Public Company Accounting Oversight Board (PCAOB). The financial industry is currently on a path to abandon GAAP in favor of the International Financial Reporting Standards (IFRS), as directed by the Securities and Exchange Commission (SEC).
That’s a lot of historical information, but the key takeaway is that the the maturation of an industry never ceases. The convergence upon IFRS is natrual given that the spirit of country-specific GAAP around the world is essentially the same: To codify how firms and corporations prepare and present their income, expense, assets, and liabilities on financial statements. It has taken more than 70 years to get the financial industry where it is today, and it’s still evolving.
What does all this have to do with cybersecurity? Cybersecurity is a comparitavely young industry, and while the financial industry may have a common reporting vocabulary upon which it can rely, the cybersecurity industry has a long way yet to travel. One can imagine that organizations providing GAAP-compliant reports have thier own way of looking at the world internally – the same is likely to hold true for organizations with security programs, even after a common reporting vocabulary is established.
We should explicitly recognize the real importance of GAAP and IFRS is to establish a common vocabulary with respect to commonly shared concerns. If you were comparing two companies for investment purposes, how useful would it be if Company A reported financial information in its own way and Company B in another? So it will come to pass with the cybersecurity industry. We cannot really speak in the same language from one entity to another. For example, how easy would it be to compare the security posture of Company A against that of Company B? Suppose Company A has an ISO 27000 based Information Security Management System and Company B adheres to CobiT 4.1. How do you truly compare the two?
The answer, today, is that you can’t – even given the similarities between the two frameworks. And there are a lot of reasons for this, which I intend to explore with you over the next several weeks (ok, probably months – it’s a large topic). We’ll cover fundamental automation issues surrounding benchmarks and frameworks, platform identification, workflows, assets and their characteristics, configuration items, scoping, mapping benchmarks to frameworks, and (of course) metrics and reporting. We’ll look at existing security automation efforts and – correclty – recognize the progress they’ve made, but we’ll also see that we’re far from reaching the nirvana of automated security processes that can be commonly reported, measured for effectiveness, and therefore suitably compared by the average person.