Challenges of writing cybersecurity standards | Pluralsight
Pluralsight author John Elliott, a veteran in the field of data privacy and security, discusses writing technical standards for cybersecurity and its challenges.
Jun 8, 2023 • 3 Minute Read
Security is an all too familiar topic for tech professionals, but for some, it’s a passion. John Elliott, Pluralsight Author and cybersecurity specialist, bridges the gap between regulation and cybersecurity and shares his insights to help cybersecurity professionals succeed.
Why is writing cybersecurity standards challenging?
The multifaceted nature of standards writing is subject to the constant advancement and increasing threat from outside pressures, especially in the tech industry. The lessons from writing global security standards are also applicable to every organization as it develops its own internal information security policies, procedures and standards.
John has experienced a fair share of challenges navigating the complexities of cybersecurity. His recent contributions to The PCI Data Security Standard version 4.0 (PCI DSS v4.0) presented several learnings. Read on for the highlights.
Committee-based cybersecurity standards
Most global cybersecurity standards are written by committees and while this approach has lots of merits, it also carries certain risks and challenges. This committee approach is also quite common when developing internal policies and standards.
For example, varying input can lead to unwarranted additions because of one person’s particular enthusiasm, and which are not clear. “A camel is a horse designed by a committee,” says John.
To be an effective committee member and improve collaboration (and to avoid those unclear additions), you need to understand where people are coming from. As John says, "It's about listening, understanding and influencing."
Writing data security standards for a range of technologies
It can be challenging to align varying areas of expertise to produce an outcome that meets the needs of a security standard. “You need a very broad technical brush,” says John. “You’re writing standards for development, infrastructure, DevOps, cloud, everything.”
It’s crucial to involve a diverse group of experts, such as technologists, security professionals, policymakers, and industry representatives, in the standards development process. Internally this means that standards and policy development is a team sport.
Design principles for effective cybersecurity standards writing
Keeping design principles in mind allows for better decision making when navigating the challenges of writing cybersecurity standards.
With an abundance of considerations, the right principles help you keep the important values front and center. But you may not know where to start.
John shares these three design principles to help craft effective cybersecurity standards:
1. Avoid assumptions and holes in standards language
“You can’t leave assumptive holes,” says John. “It’s probably the biggest [principle].”
John shares this example from an earlier version of PCI DSS. “An organization had a compromise. It was discovered that they had antivirus software . . . but it wasn’t turned on. They argued that the standard didn’t say it had to be turned on.”
Leaving things up to interpretation can lead to noncompliance and vulnerability for organizations, increasing the opportunity for financial risk and data breaches. When writing standards, you always have to think of how it could be abused, and how a certain percentage of the target audience might deliberately mis-read things in the standard.
2. Use clear and accessible language
Governance, risk, and compliance is the beating heart of doing security well. And that starts with making cybersecurity accessible and understandable for everyone.
“If people don’t understand why they’re being asked to do something, they’re less likely to do it,” says John. “You’re always thinking, how do we write it clearly?”
Clear and actionable information is vital to the integrity of a strong cybersecurity standard.
“When writing PCI DSS 4 . . . we separated what was in the standard and what was good practice,” says John. “We spent a lot of time making sure it was very clear.”
Providing possible implementations and clear guidance strengthens the effectiveness security standards can have, and makes it clear what people have to do, and what’s just recommended good practice.
3. Find the parallels in visual design principles
Visual design principles guide the creation of aesthetically pleasing and functional designs. You can apply similar principles to the development of cybersecurity standards.
The principle of simplicity in visual design can be translated into the need for clear and concise language in standards, ensuring that requirements and guidelines are easily understandable.
Utilizing subheadings and easy-to-follow sections with clear and actionable information ensures accessibility and understanding for everyone. Most people are a little apprehensive of standards and policy documents – the more you can make the document itself approachable and readable, the more chance there is that people will be able to read and understand it. This is as true for your internal policy and standards documents as it for global standards such as PCI DSS.
“When writing PCI DSS 4 . . . we separated what was in the standard and what was good practice,” says John. “We spent a lot of time making sure it was very clear.”
Providing possible implementations and clear guidance strengthens the effectiveness security standards can have, and makes it clear what people have to do, and what’s just recommended good practice.
Prioritizing learning and upskilling for cybersecurity professionals
Our 2023 State of Upskilling report found that only 17% of technologists are completely confident in their cybersecurity skills. That lack of confidence could equate to money lost through an avoidable risk or breach for organizations.
For John, the solution is simple: prioritize learning opportunities.
>>> Get tips to better understand your role in protecting your organization.
Seek out targeted learning opportunities
“In security, we’re often faced with things that are new. If you’re new to [cybersecurity] . . . learn the stuff you’ve never seen before,” says John.
One thing is certain, data protection and security standards change. Whether you’re an expert or a beginner, the need for learning will always be there.
Understand the technology of DevOps and DevSecOps
“‘I’m sorry I don’t understand that, can you explain it to me?’ Those would be my magic words," says John. “I've found that just about everyone else in technology is really happy to give you the time to explain their expertise.”
Embracing DevOps and DevSecOps knowledge allows you to learn and adapt in real time to the evolving tech landscape.
When you’re aware of the technology outside your immediate role, you’re able to be a better collaborator for your organization.
For more insights from John, watch his full Pluralsight Spotlight episode.