cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

A "D" Rating for a country

HI All

 

I went along to a local Cybercon conference, the other day, and it was interesting to see the assessment by a worldwide well known consultancy company, which branded the entire country in terms of security readiness and maturity as a "D" rating.  Especially as the country is working towards Digital Identity, and Open Money initiatives.

 

What strategies, would you suggest to raise a country from a "D" to say a "B" over a period of 36 months?

 

This covered all the basics, including privacy, physical access, bypassing gateways and web sites.

 

Regards

 

Caute-Cautim

4 Replies
JKWiniger
Community Champion

This needs entirely more context. To make such a blanket grade is not helpful considering private vs public sectors are so completely different and cannot be changed in the same ways. To make such a generalized grade is not useful because it give no guidance as to what areas are seen as doing well and what areas are doing poorly, or even what areas were looked at.

 

Give me context and I will give you better answers.

 

John-

CraginS
Defender I


@Caute_cautim wrote:

...

What strategies, would you suggest to raise a country from a "D" to say a "B" over a period of 36 months?

...


John,

If you are asking how to upgrade the rating with the (unnamed) company in their report, we need to know the details of what criteria that company is using to summarize a complex system and policy environment in to a single letter grade. It might help, also, to know what ht company is, in order to factor in the likely focus and professional bias that company uses in their scoring within the criteria.

Or are are asking what criteria we would use to give a nation a single letter grade for current state of cybersecurity.

 

Just the one area of maturity brings to mind the complexity of several complexity maturity models (CMM) I have studied over the years.

 

At the national level, as opposed to a single company  enterprise CMM assessment, we need to consider laws, regulatory processes and rules, authoritative agency policies, supportive programs provided by the government, and even whether the rating is based on only governmental aspects, or also other entities such as privately owned utilities.

 

Sorry, but you have planted a very complex concern in a simplistic leading question.

 

Oh, and a final thought: Why do you care what one analyst team has done to oversimplify a demonstrably complex area of concern? Such simple score programs bother me because they tend to misled both the public and political figures to look for simple answers to complex questions.

 

Good luck!

 

Craig

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Caute_cautim
Community Champion

@CraginS @JKWiniger    Thanks for the responses:   Well one of the big Four, has supposedly carried out over 183 organisations (remember 10% are larger than 250 users, and other 90% have less than 250 users or even one man and his dog.   The type of tests conducted Physical Penetration Tests, Penetration Tests (ethical), vulnerability scanning, phishing tests, security awareness - social engineering tests, both physical and via communications i.e. telephone, e-mail and social media.   This includes Government Agencies, commercial entities etc.   The usual never patch systems syndrome exists and the typical Kiwi attitude of stick one's head in the sand is prevalent along with the words "It hasn't happened yet".  

 

https://en.wikipedia.org/wiki/It_Hasn%27t_Happened_Yet

 

So Phishing is deemed to be the highest factor within the nation at present.   Ransomware is definitely prevalent, and the Inland Revenue have proven via Bitcoin chasing and tracking, that some organisations are paying directly and using Cyber insurance has the backstop.   Inland Revenue, or the Tax Office have a valid reason, to see who is paying the Internet tax or not etc.

 

There are relevant laws in place, Crimes Act, Harmful Digital Communications Act, and the Privacy Act is being revised to make it GDPR aligned.   Interception of Telecommunications for ISPs etc.  

 

Current state, is no one actually has to report an incident, unless the Privacy Commissioner gets wind of it, and goes public.   Great drive towards Digital Identity, and recently adopted W3C WebAuthn as the preferred authentication approach.

 

Technology is the main focus, People, and Processes - is left far behind.

 

Hope this provides a better background?

 

Regards

 

Caute_cautim

 

CraginS
Defender I


@Caute_cautim wrote:

...

Hope this provides a better background?

 


 

Yes, it does, thank you, However, I still see no point in wasting resources to attack improvement of the mystical single-letter grade. Instead, use a full systems process, which you clearly understand, and prioritize based on frameworks like the CIS Top 20 to fix what is important and impactive. 

 

Good luck.

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts