Training

Setting Standards

Updated on Leave a Comment on Setting Standards

Rather ironically there is no standard definition for the word ‘standard’.

It can mean any of the following:

  • A level of quality or attainment
  • A unit of measurement, norm or comparative model
  • A tune or song of established popularity
  • A military or ceremonial flag
  • A tree or shrub on an erect stem
  • An upright gas or water pipe

And even more ironically the term ‘standard’ when used by newspapers (like the Daily Standard etc) refers to the high level of quality, accuracy and journalistic integrity employed by the editorial staff.  Go figure.

When I first started out in the World of IT and in particular IT infrastructure and security, I mostly focussed on the technical and physical aspects of security as this was where my strengths were.  I can remember training students on Microsoft and CompTIA courses and getting particularly animated about the technical controls we used and then less animated about procedural controls – you know, the boring stuff like, policies, procedures and standards.

Most of my lack of enthusiasm was due to my ignorance of the importance of these things in the real world.  Even though I applied them and knew about them – it was always somebody else’s job to worry about them.

They say that a leopard never changes its spots – which is probably true in the natural world – but over the years, I have certainly changed my attitude and level of appreciation for the procedural or administrative controls that are widely used across cyber and information security operations. 

Don’t get me wrong – I still don’t want to be an auditor when I grow up – but I very much appreciate those that do.

I was in the Royal Air Force.  It was a reasonably long time ago and doesn’t generally crop up in conversation these days but when it does – I can almost guarantee that someone will ask if I was a pilot.  And naturally that’s all they see as a job in the RAF. 

Although there are no hard and fast numbers – it is estimated that there are currently about 1800 pilots out of 35,000 serving RAF personnel – and only just over 500 operational aircraft.  So the maths would indicate that you are 95% more likely not to be a pilot!  But flying aircraft is the key objective of an air force – so that’s where the stereotype takes the mind.

And no, I wasn’t a pilot.

Everybody conjures up the sexy ‘Top Gun’ image of being in the RAF and very few consider all the cooks, engineers, drivers, dog handlers, medics, analysts and admin staff that keep the pilots in the air.

Nowadays, I tell people that I am involved in cybersecurity – which generally gets the response of – are you a hacker!?  My response is pretty much the same for the RAF pilot question.  You are more likely not to be involved in hacking and more likely to be involved in the other 95% of cybersecurity operations!  But the stereotype is that you wear a hoodie all day and sit on a computer coding in ones and zeros and don’t get out much!

Everybody focusses on the ‘sexy’ image that cybersecurity conjures up – and nobody from outside of the industry really understands all of the moving parts that come together to protect a business from cyber threats.

Due to the stereotypes around cyber, when you are starting out in a career in cybersecurity or information security – it can be very confusing to focus on what is really important from a knowledge and skills perspective. 

It is frustrating when people want to get straight into hacking the arse off of everything and seem to bypass the foundations.  And at the end of the day – penetration testing, ethical hacking and red team operations is a very small part of what cybersecurity is all about.

It is quite amusing on the certified ethical hacking courses to see the look on delegates faces on day one when we discuss the importance of service level agreements, contracts, non-disclosure agreements and terms of employment before we even fire up a Kali Linux box!  “When do we get to hack stuff Phil?” – “When you know what you are doing and have covered the mandatory paperwork!”

Foundations are built on good solid plans and architectures.  Architects work to approved frameworks and standards.  Standards that meet with the required legal and regulatory requirements.  Knowing the legal frameworks and requirements allows you to meet standards.  Meeting standards allows you to build something that is safe and secure.

So knowing about standards is important from the outset.

Like most things in life – learning is just the beginning.  Applying, adjusting and improving are all key areas that create something called continual improvement.  And continual improvement is a key part of cybersecurity.

Continual improvement may take the form of the continual adaptation and adoption of required legal frameworks, international standards or internal policies – this is all key for an effective cybersecurity culture.  Or continual improvement is seen in the adoption of DevSecOps implementation or simply a robust change management processes in IT systems.

The standards we are concerned with are not flags, tunes or trees but maintaining a level of quality and attainment of security that keep an organisation safe and secure.

As with every standard ever introduced – they go through a process of continual improvement to ensure that they keep up to date with changes in technology, legislation and working practices.

Think about the day-to-day standards in areas such as employment law, human rights and health and safety.  If you are of a certain generation, you may have been guilty of occasionally uttering words such as “well that’s health and safety gone mad” or “it’s a nanny-state we live in” but the facts speak for themselves. 

A quick Google search will tell you that since the introduction of the UK Health & Safety at Work Act in 1974, work-place casualties (including deaths) has dropped by 84%. Organisations create standards based on the legal framework and it literally saves lives – and when you see it like that – there can be no argument about the importance of these standards.

There is no major difference in the world of cyber.  It is true that cyber-related deaths remain very low – but the risk of lives being impacted by cyber-attacks and related activities is very high and the numerous laws, regulations and standards that are implemented all help to mitigate the risk.

In the headlines recently, 2 very prominent attacks against the retail-sector in the UK led to the CEO’s going public on the personal impact that the attacks had on them directly and to their staff.  Terms like ‘out of body experience’ and ‘devasted by the impact’ show how these incidents really hit home to people in charge of organisations.  You could argue that they only feel for the amount of money they have lost as a result, but the words appear heart-felt and genuinely directed at the people that they have a duty of care for.

In another report, which largely went under the radar last month was the death of a patient, which has been directly linked to a ransomware attack against the supply chain for a hospital trust.

Cybersecurity is not a ‘nice-to-have’ in an organisation – it is a mandatory requirement.  Data protection, protection of personally identifiable information (PII), protection of financial information and payment card data, health information, human rights and numerous other legal and regulatory standards allow organisations to build frameworks for security and remain complaint with their legal obligations. 

Which is why you will always discuss areas such as, DPA, GDPR, PCI-DSS, HIPAA and plenty of international and industry-specific regulations and standards in training courses.

These are essential for both internal and external cybersecurity policies and agreements.

If you set these standards within your organisation – you must then expect the same set of standards for the supply chain and cloud providers whom you work with.  This all sits alongside the physical and technical controls that are implemented to meet compliancy requirements.

So – here I am, now very much converted to the fact that procedural controls are just as important – if not more so – than the ‘sexy’ technical controls we like to get our hands on.

Everything is underpinned by a security policy and policies are underpinned by laws, regulations and standards.

Don’t just learn them for an exam – learn them to make an impact and apply in your cybersecurity role and understand their importance in everything that you do.

Continual improvement is the name of the game.

Audit long and prosper!

Related Post

Buckle Up for CISSP!

It’s Just Educated Guesswork!

Learning to Spread Your Wings

You Can Teach an Old Dog New Tricks!

Do You Wanna Be A Record Breaker !?

Taking time out to flex with the EC Council CCISO boxset!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.