Too much regulation and too many guidelines are causing issues for businesses, specifically SMEs.
Speaking at the Gartner Security and Risk Management Summit in London, former government and GCHQ IT engineer Mike St John-Green said that while we need standards for organisations and the services they deliver, there is often too many.
In his talk titled 'Sufficient cyber security - how much is good enough?' he claimed that there needs to be an evolution of standards.
He said: “We don't know what is good enough in cyber security, but the current world of standards is complex and the world could do with a consolidation of standards. We need to form an industry model on where we need standards, what they need to look like and what to do with a simplified model.”
St John-Green said that the business model in security is one that incorporates products and services, and also organisations and people. He said that products should be bought as an enduring service and be seen as a commodity. Also with people, he said that organisations "need to know when people are good enough" and it "should be our goal to get market to report so good behaviour is rewarded and bad behaviour is penalised".
“A standard needs to be interpreted so that we end up with interoperability testing. For organisations, audit, but are we doing them? We've got questions on how we operate. Where do we need security standards? For products, services, organisations and people,” he said.
St John-Green later said that we are not in a place where there are too few standards, but that we have too many. He said: “The perspective I've gained is that the subject is baffling; there are too many models and this increases costs for organisations to abide by, so the last thing they need is a different framework. Small-to-medium enterprises (SMEs) also see this as a barrier for entry and they are not in a position to bring convergence either.
“What is desirable is converged headings. Risk management has a special place but I believe that an organisation can demonstrate that it is competent with risk management, but for SMEs it is a real problem and it is very expensive. We need to develop a different approach with prescriptive practise. If one goes down this path, there is a high jump with minimum gap.”
He concluded his talk by saying that he had an issue with 'one size fits all', as the industry could do well to have profiles and a risk profile to which parts of controls apply to a particular sector.
“I believe better understanding will improve our hygiene and in absence of demand, the security market has not developed as it should have. We know what good enough looks like but we don't know how to determine good enough, there is an argument for being told what to do though,” he said.