In pursuit of the elusive green dot

The concept of standards in the security space is tricky. Every industry has its own set, and while they offer businesses and consumers some degree of comfort, there’s also an inherent downside: there are just too many.

Don’t get me wrong. Standards like PCI DSS, SSAE 18, NIST, COBIT 5, the ISO/IEC 27000 family, HITRUST and PSN play an important role. They help set a good baseline for cybersecurity discipline in various segments of the economy, raising the collective bar for greater protection and prevention. They ensure consistency in approach, but they don’t assure the integrity or security of what is being protected. The underlying issue: you can be certified and still not be close to secure, as we’ve seen with some of the major retailers, large healthcare providers and financial institutions who’ve been breached in recent years.

However, all too often, we rely on these disparate and incongruent measures to serve as the high bar for evaluating how secure an organization is.

I’ll give you an example. We have a particular server on our network that is covered by three distinct standards to certify its security. This server is audited at least five times per year. We maintain more than 600 pages of documentation accounting for the policies, protocol and control over this single piece of equipment – and this documentation is required to be updated annually. It’s no exaggeration to say we spend more time and resources auditing and certifying the server’s security than we do actually protecting it.

We need a universal standard

New industry compromises tend to lead to additional certification standards, regulations and audits. It’s a natural progression toward the obvious goal of protection. 

However, industry standards are table stakes in an evolving and already dangerously complex security landscape. In fact, many businesses today operate across industries and, for that matter, across international boundaries. Security standards should do the same. 

Imagine if we applied an open source approach to security policy framework, one that would provide a baseline of accepted security standards with modules to allow for concentration by industry. Security standard templates could then map to those policies, and security tools could be created to map to the provided standards. Application and system logging could be tagged with the appropriate policy numbers to be able to quickly integrate into SIEMs and reporting tools. 

Such an approach would support regular, consistent updates from risk assessment professionals. It would enable the designation of various certification levels based on maturity – think bronze, silver and gold, or IoT, consumer and business – for a range of use cases, from implementing standards to tested and verified. We could implement a common security language across the global economy upon which training, certification and vendor selection could rely, effectively tying the entire security ecosystem together.

Sound far-fetched? I don’t think so. We need look no further for a viable starting point than the ISO/IEC 27000 series. The ISO/IEC 27000 series is an international security standard that could be modularized by industry to allow for auditing and policy control to be focused where and when they need to be. There are also many niche examples of this open source concept, such as the Open Certification Framework (OCF), and OpenSCAP that we can use to help create this open source framework.

Bring on the dot

Many years ago, U.S. consumers would look for the Underwriters Laboratories (UL) symbol as the definitive seal of safety for any electronics they brought into their homes. 

Today, consumers and businesses, alike, rely on vendors to protect them – vendors with varying degrees of interest and incentive to do so diligently, even despite mounting breaches and fallout.

I’d love to see the creation of a simple green dot indicating a manufacturer’s compliance with a universal security standard. Not only would it simplify the issue for consumers and enterprises, but it would alleviate the financial disincentives within the supply chain to investing time and resources into compliance. In other words, voluntary and rigorous compliance would become a competitive differentiation that would drive the market. Consumers would look for products with the green dot to get security assurances, and that demand would drive vendors to produce products to that standard to meet the demand. This would affect the supply chain globally, far beyond what a regional security standard, regulation or government agency could provide.

We all know security is complicated. Bad actors use that fact to their advantage. When we make it simpler for businesses and consumers, we’ll make it a little bit harder for bad actors to get the upper hand. It takes a village, and it’s time for that village to adopt the green dot.