Is my supplier certifiable? is a question posed by Simon Saunders, pictured, managing consultant, Portcullis Computer Security.
“It is our equivalent of being Corgi registered,” say sales people, everywhere. Accreditations, standards, certifications and their brethren (we’ll call them all standards for the sake of simplicity) often form a key part of a sales-pitch, which in turn form a key part of the buying process. The question is, what value do they offer in the real world?
Starting with the good; independent verification of ability, process, management, etc. is valuable. It provides a tangible way to differentiate suppliers or personnel and provides assurance that a minimum standard has been met or that a capability has been independently verified as present. Where standards fail is when they are misunderstood or misused, which results in the perceived value not being realised. By exploring common misunderstandings and misuses, the aspiration is to maintain the value of standards across the board.
Just because two companies have the same accreditation, does not make them identical. This sounds exceedingly obvious, but time and again it gets forgotten and especially so by procurement departments who often place high value on a seemingly relevant standard and then price. Success is dependent on much more than just these two factors and there is still the need to match supplier to requirement, time scales, availability, project size, experience, value, wider skills and many more factors. The same standard could be held by a sole trader and a multinational and even if they quote the same price, it is madness to think that they would approach the job in the same way. The lesson here is that standards do not offer a short-cut to selecting a supplier. They might help to create a short-list, but be careful of placing too much value on a standard alone.
The Department for Business, Innovation and Skills (BIS) identified in its UK cyber security standards research report in November 2013: “The number of standards relating to cyber security in some form exceeds 1,000 publications globally.” The sheer multitude of standards available within any particular arena, of which cyber security is just one example, brings confusion to the marketplace and compounds the challenges detailed herein.
Whether a standard is of any value is often very murky. What we do know is that standards are a brand and the owner of that brand will always promote it positively. Inevitably there is an industry that springs up around any standard, with those offering training and support to those that would like to be assessed, none of whom would say anything negative. Those that hold a standard have put time, effort and money into achieving it and will promote it accordingly. This makes it very difficult to establish the value of a particular scheme, even more so when rivals overstate the value of their chosen standard over that of competitors. However, the risk of a poor engagement or unexpected exposure sits entirely with the client and before a standard can be held up as being of any value, it has to be understood by the person valuing it. To unwittingly believe that a standard reflects excellence, while instead it measures competence, could result in a high risk of disappointment.
Somewhere between selecting the right supplier and placing the correct value on a standard is the need to ensure that it directly impacts the intended engagement in the expected way. It is wrong to assume that just because an organisation has achieved a particular standard that is automatically of benefit to all clients in all circumstances. Professional standards can often be held by companies and their employees and in reality you need a combination of both to get the perceived value. However, what often happens is that a number of uncertified people are involved in projects. This is not in itself a bad thing, but could result in something different to what is expected. Parallels can be drawn to other types of standards; certification scopes under ISO 27001 [international standard for information security management] for example. The company may be certified, but does the scope cover all client data, in all circumstances? Does the supplier’s information security standards match your own? It comes back to this point of receiving the expected value, although this is moving away from the standard itself and is more about the application of it.
Considering the above, do standards hold any value? The answer: yes, every single standard is of value, but it is a case of recognising the extent of that value, taking into account other relevant factors and ensuring that the perceived benefits are realised. This is no easy task and the standard bodies, vendors and media have a responsibility to accurately portray and educate clients on the relevance and value of particular standards. Clients have an equal responsibility to fully understand their requirements and to accurately map these against vendors and the certifications that they hold.
Visit https://www.portcullis-security.com
