The concept of standards in the security space is tricky. Every industry has its own set, and while they offer businesses and consumers some degree of comfort, there\u2019s also an inherent downside: there are just too many.Don\u2019t get me wrong. Standards like PCI DSS, SSAE 18, NIST, COBIT 5, the ISO\/IEC 27000 family, HITRUST and PSN play an important role. They help set a good baseline for cybersecurity discipline in various segments of the economy, raising the collective bar for greater protection and prevention. They ensure consistency in approach, but they don\u2019t assure the integrity or security of what is being protected. The underlying issue: you can be certified and still not be close to secure, as we\u2019ve seen with some of the major retailers, large healthcare providers and financial institutions who\u2019ve been breached in recent years.However, all too often, we rely on these disparate and incongruent measures to serve as the high bar for evaluating how secure an organization is.I\u2019ll give you an example. We have a particular server on our network that is covered by three distinct standards to certify its security. This server is audited at least five times per year. We maintain more than 600 pages of documentation accounting for the policies, protocol and control over this single piece of equipment \u2013 and this documentation is required to be updated annually. It\u2019s no exaggeration to say we spend more time and resources auditing and certifying the server\u2019s security than we do actually protecting it.We need a universal standardNew industry compromises tend to lead to additional certification standards, regulations and audits. It\u2019s a natural progression toward the obvious goal of protection.\u00a0However, industry standards are table stakes in an evolving and already dangerously complex security landscape. In fact, many businesses today operate across industries and, for that matter, across international boundaries. Security standards should do the same.\u00a0Imagine if we applied an open source approach to security policy framework, one that would provide a baseline of accepted security standards with modules to allow for concentration by industry. Security standard templates could then map to those policies, and security tools could be created to map to the provided standards. Application and system logging could be tagged with the appropriate policy numbers to be able to quickly integrate into SIEMs and reporting tools.\u00a0Such an approach would support regular, consistent updates from risk assessment professionals. It would enable the designation of various certification levels based on maturity \u2013 think bronze, silver and gold, or IoT, consumer and business \u2013 for a range of use cases, from implementing standards to tested and verified. We could implement a common security language across the global economy upon which training, certification and vendor selection could rely, effectively tying the entire security ecosystem together.Sound far-fetched? I don\u2019t think so. We need look no further for a viable starting point than the ISO\/IEC 27000 series. The ISO\/IEC 27000 series is an international security standard that could be modularized by industry to allow for auditing and policy control to be focused where and when they need to be. There are also many niche examples of this open source concept, such as the Open Certification Framework (OCF), and OpenSCAP that we can use to help create this open source framework.Bring on the dotMany years ago, U.S. consumers would look for the Underwriters Laboratories (UL) symbol as the definitive seal of safety for any electronics they brought into their homes.\u00a0Today, consumers and businesses, alike, rely on vendors to protect them \u2013 vendors with varying degrees of interest and incentive to do so diligently, even despite mounting breaches and fallout.I\u2019d love to see the creation of a simple green dot indicating a manufacturer\u2019s compliance with a universal security standard. Not only would it simplify the issue for consumers and enterprises, but it would alleviate the financial disincentives within the supply chain to investing time and resources into compliance. In other words, voluntary and rigorous compliance would become a competitive differentiation that would drive the market.\u00a0Consumers would look for products with the green dot to get security assurances, and that demand would drive vendors to produce products to that standard to meet the demand. This would affect the supply chain globally, far beyond what a regional security standard, regulation or government agency could provide.We all know security is complicated. Bad actors use that fact to their advantage. When we make it simpler for businesses and consumers, we\u2019ll make it a little bit harder for bad actors to get the upper hand.\u00a0It takes a village, and it\u2019s time for that village to adopt the green dot.