CESG has indeed produced a readable and succinct "Executive Companion" to Cyber Security

Yesterday I questioned whether the new CESG Cybersecurity Guide, now available on the BIS website, would be any better than that produced by the US FCC. 

It is. But it is what it says on the cover “an Executive Companion”. It is not a “ground breaking new scheme” and I doubt whether any FTSE 100 Directors will read it.  

The guide, with its simple usage cases, and the back up material on the CPNI website covering critical controls and other guidance and education is a good check list for a corporate Chief Information Officer reviewing the objectives and budget of his Chief Information Security Officer. Whether it is of much value to the CIO when trying to make a case to his Board to give priority to information security over other matters at a time of all-round cost-cutting is another matter. I fear that we are still in a world of “experts producing material to impress other experts”.

Last night I attended a Computer Weekly 500 club event on relations between the CIO and the Board. This is perennial topic and Professor Jim Norton’s presentation on the roles of the CIO might have been delivered 30 years ago (indeed the messages closely echoed those at a session on “Who should be responsible for IT” at the opening conference of IT 82, the first and most succesful “awareness” campaign). What was different is that Jim has not only been a main board chairman but helps run the Institute of Director’s training programme. His summary of the roles of the CIO, from translator, through gatekeeper and accountant to sherriff helps position the value of what was announced yesterday – the CDESG material is a useful piece of support material for the CIO who has also got a credible business case for action and a strategy for delivering on the promises he will have to make in return.

I have three criticisms regarding the otherwise welcome CESG companion and the helpful supporting material on the CPNI websites.

The first is that the basic approach is reactive, adding controls rather than preventing vulnerabilities from being introduced in the first place: (e.g. by poor system architecture and the recurrent use of development short cuts which replicate 20 and 30 year old vulnerabilities to be picked up, if at all, by subsequent penetration testing).

Those who are serious about security really must most towards mandating good practice in security by design . BCS and IET must take a lead (working in co-operation with e-Skills) in mandating this in the undergraduate degrees and any other courses that they accredit. from schools to continuous professional development. We must also bridge the growing gulf between the cyberwarfare skills development plans of CESG and MoD and the civilian security skills needs of most of industry.

The promotion of this guidance might provide an opportunity to do just that.

What are the plans for follow up with and through the civilian sector skills councils: where e-Skills is tasked to provide the lead on information security (as well as commuications and computing) skills?           

My second criticism is that in saying “who we work with” it is apparent that the CPNI has ignored the WARPs (Warning, Access and Reporting Point), its previous partnership network. Ineed there appears to be not link to the WARP website from CPNI.

The WARP programme appears to have been quietly cut adrift a couple of years ago, when central funding and support was transferred to sexier programmes. Even so, a couple of dozen (particularly those covering parts of local government, the health service etc.) are still listed as active. What are the plans for working with and through those that survive rather than duplicating effort.    

My third is that there is no reference to the value of participating in or linking to awareness exercises like “Get Safe On-line”. There is a reference to “Action Fraud”. I suspect that this is another symptom of silo’d thinking. Awareness without action is not enough but the two should be symbiotic.