The fun part of this time of the year: the FISMA Report Armchair Quarterbacks. Hey, even I fit in there somewhere because right now I’m nowhere near being in a decision-making role for the Government.
Well, today it’s the ISC2 blog talking about FISMA.
So why is it that nobody addresses the huge pink and chartreuse elephant in the room? The problem is not the metrics, as flawed as they might be. The problem is not identifying a security baseline, even though that makes sense to have. The problem is not demonstrating Return on Security Investment (as flawed as the concept is, and no, I don’t want to debate whether it’s a valid concept, even though we all know it’s not) even though good CISOs try to do that as internal marketing to their management.
This is the primary problem for the Government when it comes to security: due to the scale of the Federal Government, we do not have enough skilled security people to go around. Almost all of our governance models are designed around this flaw:
- Catalog of controls to standardize
- Checklists so that less-skilled assessors can
- Varying degrees of automation
- Prioritization of security practitioners’ time
This is why I’m adding “Fast Food Franchises” to the list of models that large-scale security can draw from. =) More to come on this topic once I sort out the ideas.
McDonald’s Checklist photo by myuibe