It’s 2024. In the past 10 years we’ve seen the explosion of cloud computing and the transformation of business IT. We’ve been through a global pandemic that rapidly accelerated the adoption of remote work technologies and distributed workforces. The majority of businesses I work with these days have no servers, no internal network, and in some cases, not even an office. These changes have completely re-written the rule book (well OK, not completely) on the practicalities of cybersecurity for such businesses, upending long-held base assumptions and decades of “best practice”.

For the most part, unfortunately, cybersecurity standards and frameworks have failed to keep up, remaining firmly rooted in the past and wedded to legacy concepts like “the network”, “trusted locations”, and “teleworking” like it’s still 2004. To be honest, most of the well known standards have barely evolved since the concept of “computer security” was invented, just a few tweaks around the edges to account for new jargon and incremental advances on tools and techniques. It seems very much like no one has ever bothered (dared?) to question whether some of these concepts are still relevant, or whether the radical shifts towards cloud and decentralisation might require a ground-up rethink.

It’s a tragedy, really, yet not altogether surprising given the glacial pace with which standards move. I think however, that even accounting for the lag between the bleeding egde and globally endorsed standards, collectively the industry has dropped the ball. The evolution of business IT has been a looong time in the making. The pandemic may have sped things up a bit in the last few years, but we didn’t get to where we are now in some sort of overnight revolution. Co-location data centres were comoditised in the dotcom era. Virtualisation has been with us literally since mainframes ruled the digital world. Web apps have had equivalent or better functionality than most desktop apps for at least 5 years at this point, maybe even 10. The iPhone is 17 years old now. It’s not like we couldn’t have seen this coming.

For businesses running fully cloud based IT environment with a distributed workforce, trying (or being forced) to align with these archaic standards is an unavoidable nightmare. Cyber insurance firms still roll out the same busted old questionaire year after year before issuing or renewing policies. Do you patch your servers within 48 hours? Is your network protected by a firewall? Does your network allow remote access? Do you have an intrusion detection system? Do you keep off-site backups for critial data? Etc, Etc.

How does a modern business even begin to answer such questions? A simple Yes/No answer probably isn’t going to cut it, because the WHY is important, but when it comes to standard compliance there is rarely room for such discretion - either you have a perimiter firewall or you don’t. Either you scan your network for unauthorised devices or you don’t. The best you can hope for is to boldly declare “that’s out of scope” or “that control is not applicable”, and hope that the auditor is merciful and/or technologically literate enough to understand your explanation of why (assuming you’re afforded the opportunity to provide one).

Wouldn’t it be great if we didn’t have to do this stupid dance? Wouldn’t it be great if there was a moderm cybersecurity standard that reflected modern pure-cloud IT environments and drew on modern concepts like zero trust, everything-as-code, and dev-sec-ops? What about a standard with a heavier focus on human elements, since they remain the #1 attack vector for cybercriminals?

Yes, I am just complaining, and No, I’m not going to run off and write my own standard (although the thought did cross my mind). Unfortunately, I don’t yet wield the kind of influence that establishing new global standards requires. If no one speaks up however, we’re all just going to keep doing the same stupid dance from now until the heat death of the universe, and I for one, simply don’t have the patience for that.

So if you’re in a pure-cloud organisation, if you have a distributed workforce and being the office is no different to being in a cafe, the next time someone asks you if you’re compliant with ISO/PCI/SOC/NIST/CIS or some other equally pointless acronym, don’t just say yes or no, don’t just go along with it. Challenge whoever’s asking: ask them why they think that’s relevant or approproate for your organisation. Chances are they probably have no idea what they’re talking about.