Standardization Versus Risk Management: How Much Cybersecurity Is Enough?

Smart Business

Standardization Versus Risk Management: How Much Cybersecurity Is Enough?

There’s no doubt that cybersecurity is a complex topic to legislate. Given how fast-moving security’s components are, legislation is often too slow and cumbersome. Antonio Ramos, CEO of Leet Security, a cybersecurity ratings agency based in Madrid and member of the Stakeholder Cybersecurity Certification Group (SCCG), says that recent trends in legislation around cybersecurity are, in general, positive. Standardization Versus Risk Management

Define how to measure cybersecurity and then establish how much you need.
Antonio Ramos, CEO of Leet Security
{bqalt}

 

“Now cybersecurity is a ‘hot’ topic and politicians are aware of it,” he adds. Nevertheless, he is critical of the overall focus on certification and minimum requirements and would like to see more emphasis on risk management approaches. “We keep thinking about cybersecurity as something that can be standardized, which, by definition, is impossible. Cybersecurity is a risk management issue which depends on risk appetite, risk exposure, and many other things that make it impossible to define which is the right level of cybersecurity for every single case.

Standardization Versus Risk Management - Data Chart

Certification is perfect for establishing a minimum level of requirements to start doing business in a field, but then we should open the hand to offer other kinds of mechanisms that have proven useful in other markets, such as rating, labeling, self-assessment, or auditing,” he says. Rather than defining a list of security controls for every situation, an alternative approach is to define how to measure cybersecurity and then establish how much is needed in each case, suggests Ramos. “This approach is much more efficient and improves the efficiency of certification. In fact, this approach is the one that the Spanish Center for Protection of Critical Infrastructures (CNPIC) is using for the definition of the cybersecurity certification framework for critical operators. A scheme with different levels against which operators can set certifications and then the Center decides which level is right depending on the criticality of the infrastructure,” he explains.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

*