The principle of governance is to enforce processes are conducted consistently per established and approved policies or directions in an organization.

That way, the business outcomes are also consistent.

Some incompetent cyber security practitioners I have seen are just play by ear to spell out requirements for what they think is more secure. without considering practicality and the underlying overheads. An example is to keep an register to record which OT system uses USB thumb drive. All OT systems use USB because of isolated network environment for file exchange. The key point is how to manage the use of USB securely rather than keeping such a register.

We must ask how much protection is increased by adding protection (no matter technical control or administrative control) and will more risks be introduced if not doing so.

We must stick to the established policies. If there are “bugs” in the policies, admit it. Schedule revisions with stakeholders involved to align with business requirements. Until then, park the new requirements as desirable changes as this lacks of approved policy foundation.

Leave a Reply