Shostack + Friends Blog Archive

 

By looking for evidence first, the Brits do it right

068170-britain-royals-jubilee-pageant

Looking for evidence of effectiveness

As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now. The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, guidelines, frameworks, and best practices” and “conformity assessment programs”. In contrast, the UK is asking for evidence that any proposed standard or practice is beneficial or even “best”.

The Brits are doing it right. I hope the US follows their lead.

4 comments on "By looking for evidence first, the Brits do it right"

  • Russell says:

    Here’s my submission to the US NIST Cyber Security Framework RFI. I was working on a longer, more complete submission, but ran out of time. But this is probably just as good at this early stage.

    http://meritology.com/resources/NIST_RFI_submission_summary.pdf

  • Jared says:

    Excellent submission Russell! Thank you for sharing.

  • Russell says:

    Thanks, Jared. Though I hope it has persuasive effect on NIST and other participants, I’d bet that their incentives and mental models will lead them to complete the assigned task without changes of direction.

    A few of us have talked about a “B-sides” activity that parallel’s the meetings of the official initiative. I’ll let people know if that materializes.

Comments are closed.