You are currently browsing the monthly archive for January 2014.
Just wrote up a review/comments on the new 2013 NIPP released by DHS at the end of December for work. While the NIPP isn’t cybersecurity specific, it is still the policy environment in which non-regulatory critical infrastructure cyber security work happens. Some excerpts most pertinent to this blog are below, but you can (and should!) read the whole thing here: http://www.energysec.org/blog/jack-whitsitt-comments-on-the-new-nipp/
Someone today asked me what I thought of this article:
My answer was short: Obvious? PCI doesn’t work. NERC CIP doesn’t work. NIST standards don’t work. Anyone who says or implies that these companies just needed to do more is lying, trying to sell you something, ignorant, or a combination. Security as we do it, in the context of IT as we do it, in the context of business as we do it does not reliably do what we want it to do.
I know one thinks we should continue to admire the problem – we need action! But what if we’ve entirely failed to correctly identify and articulate the problem? :P
Someone else replied elsewhere with (regarding the standards/regs mentioned above):
“although they can be foundational for funding and building a good security program, they don’t work on their own.”
While that is true, a lot hinges on what “G.ood S.ecurity P.rogram” means. I’d argue that results from G.S.P.’s are regularly considered insufficient – i.e., Target *had* a Good Security Program and yet here we are.