I’m putting together an Event note for Gartner clients analyzing the “Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure” report announced to great fanfare on Friday. I’ve actually read through the 76 pages and will make more detailed comments in the research note but here’s the short, blog for free summary: the report recommends creating a staff to continue the Comprehensive National Cybersecurity Initiative approach of collecting information about attacks rather than focusing on reducing or shielding vulnerabilities to prevent attacks.
It is basically a strategy for investing in more forest fire lookout towers vs reducing the likelihood and impact of wildfires. Good for the agency that keeps wildfire statistics, good for the people who sell forest fire monitoring technology and services – bad for the forest critters and the people who live in houses near forests.
6 responses so far ↓
1 Carter // Jun 2, 2009 at 11:23 am
It is interesting to see that “training”, which from a technical & operational perspective is more influential than the newest gadget in the magic quad (
) is not addressed other than as a referenced material for this document. When we take into consideration the amount of monies spent on IA risks from a technical perspective only, then measure that to the increase/decrease of threats that present true risk, we will see a decreasing ROI.
2 John Pescatore // Jun 2, 2009 at 12:12 pm
First off, it depends on the type of training, as to whether it is influential. There has been no end to training about scams that people fall for in the real world, and they still fall for them – and in the cyberworld, they fall for them all over again. There is a lot of fluff proposed all the time about end user training or creating a “security aware culture” that *never* shows ROI. Well, the return is that the security group gets to say “we told them not to do that” – but “that” still happnes.
Now, training of system administrators and software developers – definite value there, once again as vulnerability avoidance. That aspect is totally ignored by this plan.
I really don’t think there has been any major lack of addressing the human side of the end user equation – I think there has been huge over-estimation of how effective that will be, since the threats always have and always will fool the end user. See my blog post about speed cameras vs. public service commercials about driving the speed limit in front of schools and work zones.
3 Rob Lewis // Jun 5, 2009 at 1:19 pm
Every herd needs a Shepard. More of what isn’t working will not solve everything, but will eliminate some low hanging fruit.
It amazes me though, how so many people in the industry equate reacting faster with being proactive, even to the point of using the word react in their definition. Sheesh.
4 Skepticism and Disappointment in Many Reactions to Cybersecurity Plan « Jim’s Hardware // Jun 7, 2009 at 8:01 pm
[...] Another downbeat perspective comes from Gartner’s John Pescatore: the report is long on collecting statistics about security incidents, short on resources for preventing and dealing with them. It is basically a strategy for investing in more forest fire lookout towers vs reducing the likelihood and impact of wildfires. Good for the agency that keeps wildfire statistics, good for the people who sell forest fire monitoring technology and services – bad for the forest critters and the people who live in houses near forests. [...]
5 Cyberspace Policy Review « Aggressive Virus Defense // Jan 8, 2010 at 1:16 pm
[...] is criticized as lacking specific and dramatic measures. [Gadi Evron, Andrew Storms] and “Recommends Response Over Prevention” (John Pescatore of Gartner). It is true. The study recommends education, further study, and [...]
6 DHS Takes Steps In The Right Direction // Feb 3, 2010 at 7:53 am
[...] cybersecurity plans for Gartner international government clients, as well as blogged some reviews here pundit-style on the various national cybersecurity strategies the US has published. They all tend [...]
Leave a Comment