Monday, December 15, 2008

CyberSecurity Sanity We Can Believe In

With everybody and their pocket yoyo trumpeting the need for a Cyber-Czar it was good to see Dale's comments over on Digital Bond

1. The reorganization of responsibility will introduce delay and is unlikely to improve the situation

Let’s say the National Office for Cyberspace comes to be early in the Obama administration. We are in for an ineffective time period and disruption while the new organization is ’stood up’ and everyone figures what their new role is in this organization. Is it six months, a year or longer before the new organization is effective? Anyone who has dealt with government stand up efforts and associated bureaucracy is probably shaking their heads.

Many loyal blog readers have been involved in one or more re-orgs of large organization, especially with arrival of new management. How often has that really made a dramatic difference? I don’t see the organizational structure being even close to the biggest impediment to date.

2. This whole consolidation / czar concept that is the rage is flawed, at least as related to information security.

We like to think that we can bring in a superstar with charisma to become the czar, e.g. drug czar, education car czar, cyber security czar, …, and all will be well. In this control system cyber security effort I’d argue the key is the people three, four and five levels down from this charismatic czar.

We don't need to be creating new organizations.

We don't need a Cyber Defense Agency (or a Control Systems CERT for that matter).

Just do your F-ing jobs, people.

No comments: