This Wall Street Journal blog post by Joel Schectman gives a review of the U.S. Standards and Technology’s report on how companies can better protect themselves from cyber attacks. Schectman, after giving a brief review of how the document came to exist, goes on to explain why it could be seen as more detrimental than helpful.
To begin with, he cites how the majority of the suggestions contained within are well known to many CIOs already, and how there seems to be a lack of urgency:
Instead of creating a sense of urgency around certain issues, like ensuring that companies know the vulnerabilities of the software they use, the document gives all the recommendations the same weight, Mr. Pescatore said. Worse, it creates additional reporting obligations that may draw time away from security. “It dilutes the security function from protecting the business to doing paperwork,” Mr. Pescatore said.
Empowerment of Priority
According to Adam Sedgewick, however, the reason for not prioritizing the recommendations was to allow individual companies to decide for themselves what was most important. Regardless, the document shows the increased awareness that governments are gaining in regards to shoring up holes within organization’s cyber security.