Are Information Security Management Systems Helpful?
The lingo of standards organizations is magnetic, but claims that mastering today’s fashionable standards—ISO 27001, PCI DSS, NIST SP 800-53, and many more—leads to secure information systems should be weighed with skepticism. In some respects, we see more illusion than substance. Consider hiring, for instance. “You say you’re familiar with 800-53? Great! You must be an information security expert!”
A concern I have with all of these specifications is they approach cybersecurity from a top-down perspective. They define security from ISO 27000 or Title 44 of the U.S. Code or similar, and they invoke a system of management control abstractions, treating information systems like a collection of opaque boxes that needn’t be looked inside. All that is required of management is to support these boxes with infrastructure that will ensure their “availability,” “integrity,” and “confidentiality.” That infrastructure, of course, is the domain of the “information security management system professionals” that everyone looks to hire because ISO 27000 says it’s their role.
The Ohio General Assembly just amended the law to favor companies who take this top-down view of information security by giving them safe harbor against tort claims when their information security management systems screw up. The same bill loosens regulations on casinos, raising more than a shadow over the sobriety of the entire rulemaking. Unfortunately, expert testimony opposing Senate Bill 220 was dominated by law firms. Computer scientists who would have critical insight to contribute don’t tend to follow legislative proceedings.
One weakness with top-down approaches to information security management is that cybersecurity is not a peripheral. I can’t take a collection of haphazardly implemented, foolishly chosen components, slap a security module on as an afterthought, and ship an ethical outcome. One of the S.B. 220 proponents wrote tellingly, “the technology we use daily is vulnerable and can be hacked.” Please bear with me while I ask a question from the bottom: Who authorized vulnerable technology for daily use to begin with?
It’s my position that cybersecurity is the discipline of scaling automation responsibly. The people we need to make information systems secure are those who create their components in the finest detail, the people who talk directly to users, determine requirements, and deliver the simplest practical solutions. By “simplest practical solutions,” I don’t mean quickest to implement, easiest to purchase, or requiring the least training. For me, “simplest” taps approaches that are most subject to human control, most comprehensible by a single person, easiest to support with in-house personnel, best suited for security audits, least expensive to extend and maintain, require the fewest upgrades, minimize opportunity for defects, and have the longest service life.
These attributes which promote information security are hard to procure within the opaque components that vendors routinely offer, but straightforward to implement when qualified personnel can start from ground zero. The need is for brilliant implementers with domain-specific knowledge of computer science and engineering, not necessarily people whose resume mentions NIST SP 800-53 , or even persons familiar with a particular product line or programming language. We need a best-of-planet workforce who will scale our automation responsibly and protect against unanticipated threats, instead of the mere avoidance of anticipated threats that Governor Kasich just signed into law.
The ISO 9000 series of quality assurance management standards has done marvels for improving numerical outcomes of product quality, but the methodology does not transfer easily to information security. Two cars can have the same design, but have differences in quality because they were manufactured differently. Quality for the better car didn’t necessarily involve any design changes. Cybersecurity is different, because security improvements entail radical design changes. This means that information security professionals need domain-specific knowledge and direct responsibility over every technical detail of a system. It doesn’t help to know only the high-altitude abstractions of any information security management system, or even know them all thoroughly.
Marc Abel is a life member of Caltech Alumni Association and the owner of Wakefield Cybersecurity in Bellbrook.