Cross-Posted from The Global Privacy Watch

With all the high-profile cybersecurity breaches that seem to be in the news lately, there is a plethora of “guidance” on cybersecurity. The Attorney General of California has decided to add to this library of guidance with her “Cybersecurity in the Golden State” offering. Cybersecurity is a pretty mature knowledge domain, so I am not quite sure why General Harris has determined that there needs to be additional guidance put in place. However, it is a good reminder of the things that regulators will look for when assessing whether or not “reasonable security” was implemented in the aftermath of a breach. And while there isn’t anything new in the guidance, what is informative is what is not there.

General Harris’ guidance does a good job of turning an oftimes technical topic into something most small to medium business owners can understand. Considering the vector for attacking large companies is the smaller vendor of the big company, this is a quite laudable goal (think Target’s HVAC vendor).

The elevation of the “first principles” of 1) Assume You are a Target, 2) Lead by Example (for the CEO), 3) Map Your Data, 4) Encrypt Your Data, 5) Bank Securely, 6) Defend Yourself, 7) Educate Employees, 8) Be Password Wise, 9) Operate Securely, and 10) Plan for the Worst are all good foundations to work from. Unfortunately, these principles are a floor, and a somewhat incomplete floor at that.

Risk Based Security

The most glaring “first principle” that seems to be missing from General Harris’ guidance is “Understand Your Risk”. While concepts of risk-assessment methodology are sprinkled throughout the document’s text, this foundational principle isn’t really called out. Applying “reasonable security” must start with an understanding of what is reasonable. While the data mapping exercise recommended by General Harris is a good start, merely knowing where your data is doesn’t actually describe the complete risk profile. What kind of data is present? Where did it come from? How is it used? Where does it go (vendors, or end-of-life)? These are all things that are critical in determining which of the security measures you deploy.

All of the other cybersecurity models start with a risk analysis. NIST and the FISMA frameworks are all risk based. So is the FFIEC’s guidance for the financial industry. This is a foundational element that needs to be called out as a “first principle” in and of itself.

Ecosystem Security

In the highly networked environment which is the modern age of service delivery, no business is an island. General Harris’ guidance seems to be mostly internally focused – what can the business do to protect itself. As we have seen with the Target hack, one of the additional foundational principles of good cybersecurity is understanding where one sits within the larger ecosystem. The HVAC vendor needs to understand that they have a duty to those clients upstream, but also that they have a risk from *their* vendors downstream. This is also part of the risk-based security approach described above. You can’t just look to your own systems, you have to look at the systems in both directions of the supply-chain.

All in all, General Harris’ guidance is a good start, but it is missing two highly-critical principles which a number of other cybersecurity frameworks rely on for their foundation. These principles of risk-based security, and a holistic point of view are going to be critical for anyone who wants to avoid having the General look closely at their cybersecurity program because of a breach which effects Californians.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Tomaszewski John Tomaszewski

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how…

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how to protect the capital asset which heretofore has been left to the IT specialists – its data.

John’s expertise in the understanding of a company’s data protection and management needs provide a specialized point of view which allows for holistic solutions. A good answer should always solve at least three problems.

John has been a co-author of several information security and privacy publications, including the PKI Assessment Guidelines and Privacy, Security and Information Management: An Overview; as well as publishing scholarly works of his own on the topic. He has also provided input to the drafting of various security and privacy laws around the world; including the APEC Cross-Border Privacy Rules system. He is a frequent speaker globally on the topics of cloud computing, Self Regulatory Organizations (“SROs”), cross-border privacy schemes, and secure e-commerce.