You are currently browsing the monthly archive for January 2014.

Just wrote up a review/comments on the new 2013 NIPP released by DHS at the end of December for work. While the NIPP isn’t cybersecurity specific, it is still the policy environment in which non-regulatory critical infrastructure cyber security work happens. Some excerpts most pertinent to this blog are below, but you can (and should!) read the whole thing here:

“…the language used in the new NIPP implies a (positive) evolutionary shift in collective thinking…”
“…It seems like, some of the lessons from the EO and the Framework development process may have influenced the writing of this document…”
“…it does appear that the new NIPP will maintain support of existing public/private partnership mechanisms such as Sector Coordinating Councils (SCC), Government Coordinating Councils (GCC), Critical Infrastructure Protection Advisory Council (CIPAC), Information Sharing and Analysis Centers (ISAC)… Still, it is exceedingly good to see that these mechanisms will not be the *only* ways to partner.”
“…There are a number of stakeholders who, up to this point, have not been part of this dialogue and it would be valuable if they found a way in…The two that come immediately to mind are “The Public” and “Unaffiliated Security Subject Matter Experts (SME).” First, “The Public” is critical infrastructure – at least as customers of risk management – and currently, they have little voice here. Second, most smart hacker or security types, if they are involved at all, are filtered through the business and political realities of their parent organizations and their industry associations. It would be nice to find away to add those voices to the mix, if only to offer a reality check to things like the #NISTCSF.”
“…More serious than the Risk Management Lifecycle problem, however, is what appears to be a philosophical miss.  It is good that cyber and physical security should be more integrated. The change in tone and apparent improvement in flexibility is appreciated, and outcome goals are absolutely a minimum requirement for driving effective security initiatives. However, the new NIPP still doesn’t effectively deal with the overall immaturity of the cybersecurity discipline itself – particularly when compared to the physical space.  It feels like there is an assumption that someone knows the right answers and all we have to do is implement them, but that’s not true.  In fact, the entire problem space needs reframing away from how the security industry has defined it for us over the past 10 years into something with a business quality assurance baseline that is then supported by risk management…”
“The NIPP and related public/private partnership mechanisms could do with more methods for and focus on the definition of  successful cyber security paths forward to meeting collaborative outcome goals, rather than a focus on selecting and then implementing existing paths.”

Someone today asked me what I thought of this article:

My answer was short: Obvious? PCI doesn’t work. NERC CIP doesn’t work. NIST standards don’t work. Anyone who says or implies that these companies just needed to do more is lying, trying to sell you something, ignorant, or a combination. Security as we do it, in the context of IT as we do it, in the context of business as we do it does not reliably do what we want it to do.

I know one thinks we should continue to admire the problem – we need action! But what if we’ve entirely failed to correctly identify and articulate the problem?  :P

Someone else replied elsewhere with (regarding the standards/regs mentioned above):

“although they can be foundational for funding and building a good security program, they don’t work on their own.”

While that is true, a lot hinges on what “G.ood S.ecurity P.rogram” means. I’d argue that results from G.S.P.’s are regularly considered insufficient – i.e., Target *had* a Good Security Program and yet here we are.

Follow me on Twitter

My Art / Misc. Photo Stream

phoenixhike - 4

phoenixhike - 3

phoenixhike - 2

phoenixhike - 1

phoenixhike - 7

More Photos