CESG has indeed produced a readable and succinct "Executive Companion" to Cyber Security

Yesterday I questioned whether the new CESG Cybersecurity Guide, now available on the BIS website, would be any better than that produced by the US FCC. 

It is. But it is what it says on the cover “an Executive Companion”. It is not a “ground breaking new scheme” and I doubt whether any FTSE 100 Directors will read it.  

The guide, with its simple usage cases, and the back up material on the CPNI website covering critical controls and other guidance and education is a good check list for a corporate Chief Information Officer reviewing the objectives and budget of his Chief Information Security Officer. Whether it is of much value to the CIO when trying to make a case to his Board to give priority to information security over other matters at a time of all-round cost-cutting is another matter. I fear that we are still in a world of “experts producing material to impress other experts”.

Last night I attended a Computer Weekly 500 club event on relations between the CIO and the Board. This is perennial topic and Professor Jim Norton’s presentation on the roles of the CIO might have been delivered 30 years ago (indeed the messages closely echoed those at a session on “Who should be responsible for IT” at the opening conference of IT 82, the first and most succesful “awareness” campaign). What was different is that Jim has not only been a main board chairman but helps run the Institute of Director’s training programme. His summary of the roles of the CIO, from translator, through gatekeeper and accountant to sherriff helps position the value of what was announced yesterday – the CDESG material is a useful piece of support material for the CIO who has also got a credible business case for action and a strategy for delivering on the promises he will have to make in return.

I have three criticisms regarding the otherwise welcome CESG companion and the helpful supporting material on the CPNI websites.

The first is that the basic approach is reactive, adding controls rather than preventing vulnerabilities from being introduced in the first place: (e.g. by poor system architecture and the recurrent use of development short cuts which replicate 20 and 30 year old vulnerabilities to be picked up, if at all, by subsequent penetration testing).

Those who are serious about security really must most towards mandating good practice in security by design . BCS and IET must take a lead (working in co-operation with e-Skills) in mandating this in the undergraduate degrees and any other courses that they accredit. from schools to continuous professional development. We must also bridge the growing gulf between the cyberwarfare skills development plans of CESG and MoD and the civilian security skills needs of most of industry.

The promotion of this guidance might provide an opportunity to do just that.

What are the plans for follow up with and through the civilian sector skills councils: where e-Skills is tasked to provide the lead on information security (as well as commuications and computing) skills?           

My second criticism is that in saying “who we work with” it is apparent that the CPNI has ignored the WARPs (Warning, Access and Reporting Point), its previous partnership network. Ineed there appears to be not link to the WARP website from CPNI.

The WARP programme appears to have been quietly cut adrift a couple of years ago, when central funding and support was transferred to sexier programmes. Even so, a couple of dozen (particularly those covering parts of local government, the health service etc.) are still listed as active. What are the plans for working with and through those that survive rather than duplicating effort.    

My third is that there is no reference to the value of participating in or linking to awareness exercises like “Get Safe On-line”. There is a reference to “Action Fraud”. I suspect that this is another symptom of silo’d thinking. Awareness without action is not enough but the two should be symbiotic.    

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Iain Lobban, Director of GCHQ, says in the Executive Companion to 10 steps to cyber security:

"Every day, all around the world, thousands of IT systems are compromised. Some are attacked purely for the kudos of doing so, others for political motives, but most commonly they are attacked to steal money or commercial secrets. Are you confident that your cyber security governance regime minimises the risks of this happening to your business? My experience suggests that in practice, few companies have got this right."

The web is a dangerous place to be.

BIS clearly support him, it's their press release that announced the initiative to get cyber threats taken more seriously.

That's with one hand.

With the other hand, BIS are trying to promote midata, an initiative which would see us all maintaining our Personal Data Stores (PDSs) on the websites of designated suppliers, crammed full of all the data that identifies us. Websites thousands of which Mr Lobban says are compromised every day.

Is BIS schizophrenic?

One might ask the same question of the Cabinet Office who also attended yesterday's event. Cyber security is one of Francis Maude's responsibilities. And yet he, too, is supporting the deployment of PDSs. They will provide the identity assurance needed, so it is hoped, for public services all to become digital by default.

The message seems to be that business must take cyber security seriously but Whitehall needn't.