The latest output from the European Commission on e-security makes for interesting reading for software and services providers. Entitled Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, it is remarkable in its focus on common sense. For decades cyber-criminals have operated more or less with abandon as separate governments and industries have been in permanent reactive mode.
Importantly, the new strategy is less about technology and more about process. While there is some provision for research and increasing awareness, the focus is on collaboration across borders, governments, law enforcement agencies and private firms. There’s recognition that the problem is out of hand, and only a co-ordinated and sustained defence can succeed.
The key element, as far as SITS players are concerned, is the call for a ‘Single market for cybersecurity products’. The aim is to create a widely-recognised and accepted stamp of approval – like a BSI Kite Mark – for compliant products and web sites. Visible, credible and trusted.
This is a massive opportunity for e-security suppliers to grow their market significantly. The demand from public and private sector organizations to have accredited web sites and online services should create a mini-boom in e-security, EU-wide.
The challenge is for the e-security community to collaborate to produce this single market. To date, standards proliferation has effectively killed security integration, simply because it’s not in the short term interest of vendors to play nicely with their competitors. The security industry loves creating certifications, clubs, associations and standards – why join an existing one when you can invent your own? In the UK alone I count the following: ASIS, BCS SCoE, BCS-ISSG, CAMM, CESG, CLAS Forum, CPNI, CSA, CSOC, EURIM, IAAC, IACG, ICO, IISP, IMPACT, IS&A, ISACA , ISAF, (ISC)2, ISCA, ISF , ISSA , OCSIA, PCeU, SASIG, SOCA, SyI and VSIE. There’s even an association of associations. It would be funny if it wasn’t such a serious issue.
So, the EC has a job on its hand to convince the various parties to play along. I hope the EC has some enforcement tactics up its sleeve.
One last word regarding ENISA (the European Network and Information Security Agency). The role of ENISA really needs to get beefed up – it’s been quite ineffective to date. There are plans to rescope its brief, but a retender might have a more positive effect.