Cyber regulation has generally created a “backward-looking” compliance approach to cybersecurity that is antithetical to actually improving security, according to the Internet Security Alliance’s Larry Clinton, who says effective risk-management alternatives are available.
“To begin with, traditional compliance is essentially a backward-looking pass-fail issue,” Clinton wrote in a Thursday blog post. “Cybersecurity, on the other hand, is a forward-looking risk management issue. In a compliance model you typically have to check off boxes indicating what you have done. You have either filed the forms or not. You are on time or not. You have fulfilled the requirement or not. You can check the box or not. You are in compliance, or you are out of compliance. Pass-fail.”
Cybersecurity, on the other hand, “is not pass-fail. You are not secure or insecure. Security is a continuum with gradations of security. Moreover, not all entities, even within an industry sector have the same security needs or the same threats to their security. As a result, a traditional check the box compliance system is inappropriate to for the cyber security domain.”
The blog is the latest in a series by ISA as part of a “national dialogue” leading to a comprehensive package of recommendations. Last week Clinton wrote the federal government lacks the expertise to mandate effective cybersecurity requirements for industry, saying failures to secure the government’s own systems reveal the need for a major readjustment in thinking about cyber policy.
Clinton has long argued that government officials fail to consider the economics around cybersecurity and typically try to apply solutions that don’t actually make companies or government systems more secure.
In his latest posting, Clinton said, “Traditional compliance is also a backward-looking system. Did you do x or did you not do it? Cybersecurity is not a backward-looking exercise. Good cyber risk management is forward looking, one of the critical steps in good cyber risk management is to anticipate what sorts of threats you are likely to be subjected to and appropriately target your, typically scarce, security resources toward those attacks.”
He wrote: “Over the past few years, the market has actually developed far more appropriate models, such as X-Analytics and Factor Analysis of Information Risk (FAIR) which are far better tailored to assessing cybersecurity practice than generic regulatory check lists.”
Clinton added, “For example, Jack Jones, one of the main innovators of the FAIR model has suggested a much more useful framework for developing an organizational model for cyber risk assessment.”
The Jones model includes:
- Use the best available data to assess possible attack scenarios you face
- Focus on what scenarios are probable and cause enough loss to matter
- Calculate best, worst, and most likely cases
- Determine to what degree loss is acceptable — risk appetite
- What investment needed to mitigate loss to an acceptable level
- Use advanced modeling (e.g., Monte Carlo simulations) to determine most appropriate spend to address the unique cyber risk for your organization.
Clinton concluded, “Given the inappropriateness of the core regulatory model with respect to the cyber problem and the lack of empirical evidence that it works it would be a huge mistake to expand the model.”