« TSA Transparency? | Main | Usable Metrics »

June 20, 2007



It's not that the framework doesn't work, it's that the implementation doesn't work.

In our world of security, you have to make a cost-benefit-risk comparison and the current culture of "there is no such thing as acceptable risk" is what's killing us. As long as we keep referring to the process as "compliance" instead of "risk management", we will have a problem. That's what Gregory Wilshusen is saying, but everybody misinterprets it to mean that the law doesn't work.

Some of my own postings on this subject from the last week:

And please be careful about what SANS says. They're trying to make money off selling their training: "PPS There is one more week until the deadline for low-cost registration to the largest cyber security program in Washington: SANSFIRE at the end of July."


> SANS interprets this as a call to better measurement.

I interpret this as SANS now selling measurement courses ...

> Eventually, U.S. federal agencies will get serious about security, probably after multiple major breaches cost them billions of dollars, and several Senators and Congress members lose elections over those breaches, and then measurement will happen.

This is the nub of the problem. The risks that are sold (by SANS and others) are not validated, therefore after a decade or two of selling them, the users ignore all warnings. Correctly, coz they were mostly wrong and expensive in the past.

Now what is required is to concentrate on validated risks, so as to prepare an appropriate and measured response. This might change in time due to more breach notification ... it might require simple case studies that stressed costs actually incurred.

For the moment, compliance failures are a bigger risk than security failures, so the agencies' actions seem logical.

The comments to this entry are closed.

My Photo

Risk Reading

Blog powered by Typepad