Last Updated on April 22, 2021
A wise CISO once said: “The only thing worse than no cybersecurity guidance is too much cybersecurity guidance.” In today’s world, we are blessed/cursed with multiple, interrelated and cross-referenceable standards of comparable scope and value; e.g., ISO 27001, SOC 2 and the DoD’s new Cybersecurity Maturity Model Certification (CMMC).
It’s too bad if an organization fails to take advantage of one of these comprehensive, third-party attested security frameworks. But arguably it’s even worse if a firm ends up needing to invest time and energy undergoing audits and achieving certification against more than one standard, or maintaining dynamic mappings from its controls to various standards, with no net benefit to its security or competitiveness.
Can we ever have “just one” cybersecurity standard? How might that come to pass, and what might the results look like for security-conscious companies?
Pivot Point Security CISO and Managing Partner, John Verry, an ISO 27001 lead auditor and long-time advocate of “provable security,” speculated about this hot topic on a recent episode of The Encrypted Economy Podcast, hosted by cyber/legal expert and thought leader Eric Hess.
Eric asks: “What do you think the forces are that will result in industry or the government saying [multiple standards are] a net tax on business? … I guess you could just say you have to certify across ISO, NIST, CMMC, and that’s one certification or one audit. But is that the path that it goes down? Or does it go the path where they basically say, we [pick] CMMC, and the other ones naturally fall away? What’s the triggering event that starts to bring some more clarity and more standardization around these frameworks?”
“I think CMMC is the triggering event,” John asserts. “Whether or not it will actually go to the end game that we discussed, who the heck knows? And I also think there’s a complexity to this that will never go away, unfortunately. I’d love to tell you that we could get to a point where there was one standard. And realistically, who cares? ISO, CMMC, SOC 2… Let’s get to a point where there’s one open, trusted standard. Everyone knows how to do it. There’s clear and unambiguous guidance. There’s a playbook and we’re all more secure.”
“Where I think the complexity comes into play is that technology evolves every day,” notes John. “So as we’ve migrated to be more cloud-enabled, what if your standard is not super cloud-oriented and doesn’t do a good job of addressing cloud risk? We’ve got the Internet of Things, which is going to be another amazingly significant change in the world over the next five to ten years. IoT risk, embedded technology risk, is radically different than risk to conventional business. Although conventional businesses are part of that [IoT] risk profile and they don’t really even know it.
“Then you’ve got operational technology: SCADA systems and industrial control systems and smart factories and things of that nature, which are both an IoT risk and a separate operational style risk. Which, again, needs some specific guidance around it.
“And then the last one, of course, is privacy, which has become just a bear. We’ve got GDPR, we’ve got APAC, we’ve got the California Consumer Privacy Act. Privacy is different. So, we’ve got to address privacy [with a separate standard].
“I don’t know that there will ever be a one-size-fits-everything standard. I think the question is, can we reduce the number of similar standards and consolidate to one there? That way, the special purpose standards, which are just a natural evolution of evolution, we’ve got less to worry about. We don’t have 50 things we’re looking at; we’ve got five,” opines John.
“I think ultimately, on the privacy side, we will move toward a federal law,” shares Eric. “It’s in the cards—it’s just a question of when. Because various states are going to have to adopt these privacy regulations. People are going to be screaming the same cry, which is, ‘How do I comply with 50 different states?’”
“I think you’re right, for sure,” responds John. “And there is a NIST privacy framework, which came out last year. It aligns with the NIST cybersecurity framework. I think that it was built in a way that you can integrate your InfoSec and privacy management programs. Which is a really powerful thing. ISO does that with ISO 27001 and ISO 27701. So I think that’s really reading the tea leaves…”
To listen to this episode of The Encrypted Economy podcast with special guest John Verry and host Eric Hess all the way through, click here.