Cybersecurity Risk Management … Beyond the “Golden Period”

Where do we stand with the management of cybersecurity risk? Answer … Not in a good place.

This position was further augmented upon reading an article in the January 23, 2020 Washington Post by Anna Fifield with the title “Wuhan quarantine expands as Chinese fear authorities withholding information about coronavirus outbreak,” available at

One statement, by Guan Yi, a virologist who helped identify severe acute respiratory syndrome (SARS) in 2003, really resonated. In reference to the coronavirus epidemic, he said that “We have passed through the ‘golden period’ for prevention and control.”

That characterization rings so true if applied to cybersecurity attacks and defenses. One can argue as to when that transition took place. My opinion is that it happened a decade or more ago.

What this means for cybersecurity is that we are beyond protection, avoidance and (minimally) deterrence, and are turning to detection and response.

In an interview article “Epidemics expert Jonathon Quick: ‘The worst-case scenario for coronavirus is likely,’” in The Guardian of March 1, 2020 available at , Quick, the former heads of the Global Health Council, states that:

“… we have a measure of epidemic preparedness—the Global Health Security (GHS) Index—that scores countries on six dimensions: prevention, detection, response, health system, risk environment and compliance with international standards.”

The GHSI does not appear to include protection, avoidance or deterrence. I think that it should. Perhaps they are implicit. In any event, it would seem to make sense for Infosec professionals to consider a similar index for cybersecurity risk by country, region, industry and organization. Yes, there are some forms of these considerations such as the Payment Card Industry’s Data Security Standard (PCI DSS), but they are not ubiquitous and not completely effective. Furthermore, we don’t have generally-accepted international cybersecurity standards.

There have been a number of attempts to establish such standards, but they always seem to fizzle out. I was involved in the GAISP (Generally-Accepted Information Security Principles) effort when it eventually came under the auspices of the ISSA (Information System Security Association) and I was involved directly in the project, heading up one of the tracks. A January 2004 draft of the GAISP principles is available at and is well worth reading.

The project was never completed. It collapsed under its own weight and because of differences of opinion among the leaders of the project. It is one of my greatest regrets that the standards were never finalized. It was the right time. Since then, we have seen significant failures in cybersecurity risk management, in large part because there are no universal standards and global enforcement mechanisms.

We can be reasonably certain that eventually the coronavirus will be controlled and that vaccines will be developed and made available to the masses. At this point, we do not know how much physical, emotional and economic harm will be inflicted on the world population, but it is reasonable to believe in the prospect of protection against the coronavirus and/or a cure.

Wish that it were so for cybersecurity risk. At this point in time, there is little indication that cybersecurity risk will be constrained nor that we will develop the prevention and protection mechanisms needed to mitigate, if not eliminate, the risk.

It is time to resurrect the creation of global standards and institute effective organizational structures that will begin to contain rampant cyberattacks and minimize the destruction that they cause.

Post a Comment

Your email is never published nor shared. Required fields are marked *