By looking for evidence first, the Brits do it right

by Russell on April 9, 2013


Looking for evidence of effectiveness

As it happens, both the US Government and the UK government are leading “cyber security standards framework” initiatives right now.  The US is using a consensus process to “incorporate existing consensus-based standards to the fullest extent possible”, including “cybersecurity standards, guidelines, frameworks, and best practices” and “conformity assessment programs”. In contrast, the UK is asking for evidence that any proposed standard or practice is beneficial or even “best”.

The Brits are doing it right. I hope the US follows their lead.


Here’s my submission to the US NIST Cyber Security Framework RFI. I was working on a longer, more complete submission, but ran out of time. But this is probably just as good at this early stage.

by Russell on April 9, 2013 at 2:42 am. Reply #

Excellent submission Russell! Thank you for sharing.

by Jared on April 9, 2013 at 6:36 am. Reply #

Thanks, Jared. Though I hope it has persuasive effect on NIST and other participants, I’d bet that their incentives and mental models will lead them to complete the assigned task without changes of direction.

A few of us have talked about a “B-sides” activity that parallel’s the meetings of the official initiative. I’ll let people know if that materializes.

by Russell on April 9, 2013 at 6:54 am. Reply #

[…] the Brits do it right,” The New School of Information Security, 09-Apr-2013. [Online]. Available: [Accessed: […]

by The Week That Was – 4/15/2013 on April 16, 2013 at 2:09 pm. Reply #

Leave your comment

Not published.

If you have one.