Today, I am returning to this topic and highlighting three different perspectives.
I see them as a progression, each with a marked improvement over the previous piece.
XX
The first is in TechRepublic: Can your organization obtain reasonable cybersecurity? Yes, and here’s how. The author is Michael Kassner, a freelance writer who specializes in business and technology. He has been referred to as a cybersecurity expert; as best I can tell, he has never been a practitioner.
Kassner’s thoughts are based on his review of Cybersecurity Risk: What does a ‘reasonable’ posture entail and who says so? He refers to that work when he says (in these excerpts):
…lawmakers and regulators are responding to the escalating number of cyberattacks by requiring businesses to meet certain cybersecurity standards to achieve reasonable security. However, “Without a defined, coherent standard to use as a reference, companies are left wandering in the wilderness when it comes to compliance with these often ambiguous laws and regulations.”
Since cybersecurity and its regulation are moving targets, companies tend to copy what other organizations are doing to secure digital assets, hoping it will be seen as good enough…. “With data-breach litigation increasing, this practice is nothing short of risky as businesses are…