When speaking at the Gartner Security and Risk Management Summit in London recently, former government and GCHQ IT engineer Mike St John-Green suggested that too much stringent regulation and numerous guidelines are causing issues for businesses: “We don't know what is good enough in cyber security, but the current world of standards is complex and the world could do with a consolidation of standards,” said St John-Green, adding “We need to form an industry model on where we need standards, what they need to look like and what to do with a simplified model.”
In his talk entitled 'Sufficient cyber security - how much is good enough?' he called for an improvement and simplification in the security models to promote greater understanding and reduce “baffling” of organisations.
“There are too many models and this increases costs for organisations to abide by, so the last thing they need is a different framework. Small-to-medium enterprises (SMEs) also see this as a barrier for entry and they are not in a position to bring convergence either,” says St John-Green.
It was suggested that although risk management is a valid preoccupation; for SMEs it is a real problem and can be very costly. “We need to develop a different approach with prescriptive practise. If one goes down this path, there is a high jump with minimum gap,” however a “'one size fits all'” is not necessarily the best approach. A better solution could be risk profiles for each part of each sector in order to simplify whilst simultaneously upping relevancy and efficiency for individual SMBs.
When concluding his talk St John-Green revealed that the security market “has not developed as it should have” and suggested there was room for improvement if businesses are to get the most out of the market, within often tight budgets and with minimal risk.
Do you find the standards around security confusing, how could they be improved for the better? Please comment below or connect with us on Twitter @MicrosoftBizUK