This month the Swiss Federal government organized a Swiss Digital Day to help to drive the discussion within Switzerland on the impact of digitalization on the different aspects of our life.Cybersecurity is all over the place, which is very good – something which would not have been the case a few years ago. Everybody knows that without security there will be no trust and without trust the desired effects of digitalization might not materialize the way we want it.
I had the privilege to be part of these discussions in different panels and events. Interestingly, government officials and politicians are seeking guidance on how to put regulation in place regarding security. What shall they do and how far shall they go? Having been the CSO of a critical infrastructure, I have a few points to raise here…
Maybe I am oversimplifying but there are a few reasons, why you could put regulation in place in this space:
- You want to protect the society from unwanted behavior of some market players (e.g. outage of a critical infrastructure)
- You want to make sure everybody is playing against the same rules and therefore carries the same cost
- You want to build a framework where companies can grow and drive innovation securely
These goals need to be kept in mind, when we talk about regulation to make sure we hit the mark.
When you think about regulating cyber security, the current focus has to be on basic security (and infrastructure) hygiene. Viruses like Blaster, Slammer and others in the early years of the century could spread because of widely unpatched systems. Wannacry could spread – well – because of widely unpatched systems. The industry made a lot of progress but a lot of the basics still has not been addressed.
- Identity and Access Management: Without a proper identity management there is no security. Most companies typically have organically grown IAM systems and have a hard time really figuring out who has access to what and when. There was progress in the industry but there is still a long way to go.
- Patch Management: There are still way too many unpatched and outdated systems. Part of this problem originates in the fact that core systems of today’s companies were written in the late 90ies and are custom built upon a certain OS version (e.g. Windows XP). Without a major re-design or even a re-development of these applications, they cannot be migrated off of legacy operating systems. Unfortunately, this has to be done and costs a lot of money. There is no way around it.
- Inventory: Without a proper inventory you do not know what to patch and what to defend. This is true for hardware and software but for data as well. One of the major blockers for the cloud often is that customers do not know what data they have and where it is.
- Do not invent a standard! There are frameworks out there like ISO 27001, COBIT, COP etc. Are they perfect? Probably not but they are a baseline where a lot of security pros spent a lot of time and energy to define a reasonable framework. With all due respect, I cannot see how a regulator can come up with something better. What the regulator shall do is to understand, which part of the standard shall be enforced first and why. And then require a subset of one of these standards. Focus!
- Do not confuse security and compliance. With good security you should get compliance, with good compliance, you only get compliance and not necessarily security. I have seen too many customers who are forced to focus on following “yet-another”-regulation. They know that they only marginally increase their security exposure and that there would be more pressing things to do but they are forced to check the box.
- Understand that people who understand security are a scarce resource and should be invested wisely.
I think that regulation might make sense if it is applied wisely and is targeted to solving the key fundamental challenges. To get there, a close collaboration between security people in the private sector and the regulator is needed to ensure that the regulation makes sense and really improves the situation.
Currently my biggest worry is a security incident with significant impact on the critical infrastructure. I am convinced that it will happen. After such an incident, people will ask for a strong hand by the government and regulation will be put in place and enforced. If these are the right ones, I am fine but I fear that this will lead to more overhead and not necessarily more security.