SBN

Cybersecurity Risk Management … Beyond the “Golden Period”

Where do we stand with the management of cybersecurity
risk? Answer … Not in a good place.

This position was further augmented upon reading an
article in the January 23, 2020 Washington Post by Anna Fifield
with the title “Wuhan quarantine expands as Chinese fear authorities
withholding information about coronavirus outbreak,” available at https://www.washingtonpost.com/world/coronavirus-china-wuhan-latest/2020/01/23/2dc947a8-3d45-11ea-afe2-090eb37b60b1_story.html

One statement, by Guan Yi, a virologist who helped
identify severe acute respiratory syndrome (SARS) in 2003, really resonated. In
reference to the coronavirus epidemic, he said that “We have passed through the
‘golden period’ for prevention and control.”

That characterization rings so true if applied to
cybersecurity attacks and defenses. One can argue as to when that transition
took place. My opinion is that it happened a decade or more ago.

What this means for cybersecurity is that we are beyond
protection, avoidance and (minimally) deterrence, and are turning to detection
and response.

In an interview article “Epidemics expert Jonathon Quick:
‘The worst-case scenario for coronavirus is likely,’” in The Guardian
of March 1, 2020 available at https://www.theguardian.com/world/2020/mar/01/the-worst-case-scenario-for-coronavirus-dr-jonathan-quick-q-and-a-laura-spinney , Quick, the
former heads of the Global Health Council, states that:

“… we have a measure of epidemic preparedness—the Global
Health Security (GHS) Index—that scores countries on six dimensions:
prevention, detection, response, health system, risk environment and compliance
with international standards.”

The GHSI does not appear to include protection, avoidance or
deterrence. I think that it should. Perhaps they are implicit. In any event, it
would seem to make sense for Infosec professionals to consider a similar index
for cybersecurity risk by country, region, industry and organization. Yes,
there are some forms of these considerations such as the Payment Card
Industry’s Data Security Standard (PCI DSS), but they are not ubiquitous and
not completely effective. Furthermore, we don’t have generally-accepted
international cybersecurity standards.

There have been a number of attempts to establish such
standards, but they always seem to fizzle out. I was involved in the GAISP
(Generally-Accepted Information Security Principles) effort when it eventually
came under the auspices of the ISSA (Information System Security Association)
and I was involved directly in the project, heading up one of the tracks. A
January 2004 draft of the GAISP principles is available at https://citadel-information.com/wp-content/uploads/2010/12/issa-generally-accepted-information-security-practices-v3-2004.pdf and is well
worth reading.

The project was never completed. It collapsed under its own
weight and because of differences of opinion among the leaders of the project. It
is one of my greatest regrets that the standards were never finalized. It was
the right time. Since then, we have seen significant failures in cybersecurity
risk management, in large part because there are no universal standards and
global enforcement mechanisms.

We can be reasonably certain that eventually the coronavirus
will be controlled and that vaccines will be developed and made available to
the masses. At this point, we do not know how much physical, emotional and
economic harm will be inflicted on the world population, but it is reasonable
to believe in the prospect of protection against the coronavirus and/or a cure.

Wish that it were so for cybersecurity risk. At this point in
time, there is little indication that cybersecurity risk will be constrained
nor that we will develop the prevention and protection mechanisms needed to
mitigate, if not eliminate, the risk.

It is time to resurrect the creation of global standards and institute
effective organizational structures that will begin to contain rampant
cyberattacks and minimize the destruction that they cause.


*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2020/03/09/cybersecurity-risk-management-beyond-the-golden-period/?utm_source=rss&utm_medium=rss&utm_campaign=cybersecurity-risk-management-beyond-the-golden-period