Better standards for standards please

Yesterday’s IT Governance Watch event in London, organized by the UK Cyber Security KTN and The National Computing Centre, was an interesting attempt to address the seemingly paradoxical concept of how security standards can inspire innovation and good practice. You might think that this would be an oxymoron. But there are authoritative claims by senior level government reviews that standards do in fact promote such innovation.

On a more practical level, some people now believe that it’s time to set the scene for an “observatory” of security standards. There are so many of them out there that some users are calling for assistance in navigating the proliferating standards landscape. You might of course see this suggestion as yet another “jobs for the boys” initiative. But to be fair, it’s high time we addressed the standards space. Standards can be immensely powerful vehicles, as anyone who’s had to address PCI DSS will appreciate. They’re simply too important to be left in the hands of a standards community, hungry for more business. 

The main problem with standards is that, like architectures, they’re a means to an end, not an end in themselves (unless you happen to work for a standards organisation). Security standards are also very different from other technology standards in that they’re generally designed to solve historical problems rather than to present a common platform for future developments. And no two standards are the same. They can be general or specific. They can be flexible or prescriptive. And they can be designed to raise a standard of practice, or just to standardardise it. Some standards demand an innovative response when others stifle it. A few, such as PCI DSS are badly drafted (at least from a standards perspective). But others, such as BS7799, are no less than minor works of art. Some standards are also based on the consensus of hundreds of contributors, while others are based on the views of a mere handful of self-appointed experts. And it’s important to also bear in mind that information security is an immature practice. Many current practices are far from good ones. When it comes to subjects such as risk management, for example, the cupboard looks bare and we could do with some fresh thinking. 

These are all good reasons to place a brake on the standards process. But that would dilute our potential to tackle an increasingly complex security landscape and, in particular, to develop agreed solutions for collaborative working. The answer, in my view, is to raise our game: to ensure that the number and range of standards is appropriate to meet emerging business needs; that they’re developed by a sufficient pool of knowledgeable subject matter experts who understand the nuances of what makes a good standard; and that they’re both realistic and maintainable. In short, we don’t need an observatory to help people navigate a landscape of inappropriate standards. But we do need a much better filter to sort out the wheat from the chaff.