In October 2022 the US Cybersecurity and Infrastructure Security Agency (CISA) released a document titled the CPG – Cross Sector Cybersecurity Performance Goals that lays out some guidelines… or perhaps suggestions… for improving the cybersecurity posture and outlook of organizations. This document is intended to be a supplement to the NIST Cybersecurity Framework created several years ago.

The document discusses various topics, including how many organizations even today have not adopted “fundamental cybersecurity protections”, how small and medium sized organizations are “left behind” when it comes to implementing cybersecurity practices and investments, how there is a “lack of consistent standards and cyber maturity across CI (Critical Infrastructure)sectors”, and that “OT (Operational Technology) cybersecurity often remains overlooked and under-resourced”.

Okay, all of this is true, but we have certainly been aware of these issues for well over a decade. In other words, we have been talking about these same talking points for a very long time…just like we talked about the possibility of a global pandemic for a long time before it happened.

First of all, I applaud any effort to bring such matters to our attention, no matter how often we choose to repeat the same story over and over again. Anyone who is a parent or teacher knows that repetition is the key to getting things to change and hopefully improve. However we also know that simple repetition is not always the most effective and certainly not the most efficient way to get things to change. It takes more than that.

I say this because, once again, this document…as many documents before it…states that everything outlined is voluntary. We all know how voluntary works in the real world. I’m not saying it is always a dismal failure, because we can point to many instances where voluntary actions lead to great success. What I am saying is it is woefully inefficient in a world where cybersecurity issues are a constantly growing threat.

Ok, back to teaching and parenting for a moment. There are ways to get people to do things beyond voluntary adoption that seem to work. Let’s start with the one everybody hates, which is penalizing people and organizations for non-compliance. It works well in the military. It works in the civilian world. It works in the home. However it also leads to rebellion, anger, and a populace that is constantly trying to figure out ways to game the system and put an end to the man cracking the whip. In other words, it is not always the best solution.

The other method is through incentives… a reward system if you will. We reward good behavior. This is very effective to the point of being ridiculous. Heck people will pay good money to win “points” on video games that have no inherent value other than the proverbial “atta boy” pat on the back. Humans are easy sometimes.

Now I am not saying the brownie points system is the way to get organizations to buck up and improve their cybersecurity posture, but it certainly is possible to create incentive systems that could get them to fall in line. Perhaps tax incentives for organizations that can show evidence of compliance.

This brings me to the notion of “evidence”. In order to prevent people and organizations from gaming the system we need to consider what criteria can serve as conclusive evidence. Some of this can be determined by adherence to the limited standards that exist today, but that really only covers a small portion of what should be gathered. We also need to collect data from tools that track information such as the existence of vulnerable systems and the ability of organizations to react to known attack vectors. In other words, we need to know how vulnerable and resistant an organization is to digital diseases.

It is also important for organizations to be able to list various tools and methods that are “approved” by government agencies as acceptable for achieving cybersecurity goals. This of course would require government agencies (such as CISA) to establish criteria for evaluating such tools. Many agencies have fought against such a notion but it is not a crazy idea. I mean we definitely have established criteria for what is acceptable for addressing biological diseases. So why not the same for digital diseases?

Okay, again I want to applaud CISA for their efforts here. Let’s kick it up a notch and do better.