Streamlining and slimlining of standards is needed in information security.
Speaking on a panel at the EEMA and TDL Trust in the Digital World conference in Vienna, Demosthenes Ikonomou, head of the information and security and data protection unit at ENISA said that the recent Cybersecurity Coordination Group (CSCG) whitepaper was too “high level” in his view and as a result, he doubted it would work in practice. “It should have a number of key initiatives at the EU level, but it is not clear how it can come into practice and how it can come to market.”
Commenting, Professor Bart Preneel from the Catholic University Leuven, said that doing some evaluation is better than none but that we are “failing as a community on how to do this” as the context of security changes.
He said: “Most standards are broken and are put in for optimisation, and soon as they are discovered they are broken. Are they secure or correct? I don’t know. High complexity is a barrier for entry and difficult for information security and this is a barrier for evaluation, and if you comply with so many things, secure implementation is very difficult.
“We do need security standards as without them we cannot have security, but we need fewer and better as there are way too many and it is a battle to make changes. For the ISO standard it can take five months.”
Ilias Chantzos, senior director of Symantec, asked if the market needs standardisation, and asked if there is a regulatory requirement forcing it? He said: “How do we look at the issue of standards, and at the problem of the need to introduce to one that need to support?
“We welcome competition between standards and we try to address the needs of customers and support different standards in products, but if there is a technical standard is there a need for it? People will buy it and support for it. There needs to be a standard which allows to comply with requirements.”