Making an organisation cyber-secure is difficult. As a supplier, demonstrating to an external customer that you are cyber-secure is even more difficult. Conversely, as a customer how can you tell which organisations take it seriously?
One approach is to look at adherence or compliance to a security standard. But which one should you look for? IASME, PAS555, ISO27001, ISF Standard for Good Practice, PCI-DSS, adherence to the Ten Steps, or controls to manage the SANS Top 20…
In fact a Research Report by PWC identified over 1,000 global security standards you could choose from.
All these standards exist for a good reason – standards matter – but having too many makes it difficult for the non-expert to distinguish good for bad. Even recognising a standard like ISO27001 is not sufficient, as it can be implemented as a tool to improve a business security posture, or as a tick box compliance exercise that fails to make any real difference.
The UK Department of Business Innovation and Skills (BIS) faced exactly this challenge when looking for a standard to promote in the UK as a minimum an organisation should adopt. The motive is to provide a baseline of all UK organisations to aim for, thereby advancing the Cyber Strategy of making the UK a safe place to do Cyber Business.
Following a wide industry consultation, BIS have announced the outcome of their call for evidence on a preferred organisational standard for cyber security.
In my simplistic view, BIS is essentially going to define a profile of ISO 27001 (in an ambitious time frame). The profile will say “These are the really important bits, you really must do as a minimum” and “If unsure how to do them, here is a pattern of what good practice looks like”. Organisations will be able to adopt this as a model to improve their security and then, if appropriate to their business, seek validation from an external party that the controls are suitably in place (it is not yet obvious how this certification will work in practice).
As I understand the intent, adherence to this profile will start to be written into government procurements.
At NEXOR, as an organisation with ISO 27001 across the business, the proposed BIS approach is simple for us; we already have a suitable framework in place and we look forward to seeing how close the view of good practice matches our existing controls. This is why we agreed to be a pilot site for the new BIS standard.
Some cynics might suggest all this has done is create yet another standard. I don’t subscribe to that view – in the 1990’s when implementing the international standards for email and directory systems (X.400 and X.500), we also had profiles of the standard, called Implementers Agreements. These worked well, clarifying and simplifying the standard for suppliers that could not invest in a full solution. In practice I suggest it is likely there will become a set of profiles over time to reflect different business scenarios.
There will be some concern among small organisations about the potential costs. At the launch event David Willetts (Minister of Universities and Science) was very careful to point out how this should not involve a large cost to obtain the standard and take steps to implement the standard. I will reserve judgement on this until the details of the profile emerge next year. In my experience, the main cost is internal to the business in making sure you do the basics like patching, keeping AV up to date, and removing admin privileges by default as well as staff awareness training etc. Surely most trustworthy businesses would want to do this anyway – otherwise they risk a Crypto Locker infection which is far too serious a risk for any business to ignore. Is this simply a cost of doing business in the cyber world, surely it cannot be an option for a credible business!
Will the approach succeed? In my view it has every chance, but the critical success factor is adherence being mandated in government contracts. This mandate is essential to drive adoption toward a critical mass.