By looking for evidence first, the Brits do it right
Looking for evidence of effectiveness
As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now. The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, guidelines, frameworks, and best practices” and “conformity assessment programs”. In contrast, the UK is asking for evidence that any proposed standard or practice is beneficial or even “best”.
The Brits are doing it right. I hope the US follows their lead.
Here’s my submission to the US NIST Cyber Security Framework RFI. I was working on a longer, more complete submission, but ran out of time. But this is probably just as good at this early stage.
http://meritology.com/resources/NIST_RFI_submission_summary.pdf
Excellent submission Russell! Thank you for sharing.
Thanks, Jared. Though I hope it has persuasive effect on NIST and other participants, I’d bet that their incentives and mental models will lead them to complete the assigned task without changes of direction.
A few of us have talked about a “B-sides” activity that parallel’s the meetings of the official initiative. I’ll let people know if that materializes.