Cyber security kite mark being touted, but for what exactly? People? Passwords? Patches?

In July of this year a report for the Department for Business, Innovation and Skills (BIS) by Pierre Audoin Consultants made a recommendation for the ‘kite-marking’ of ecommerce sites. The intention was to provide a recognisable stamp of security quality for suppliers to SMEs and consumers. The report was also quite specific in its assertion that CHECK and CREST have too few member companies to be scalable to the UK’s 4 million SMEs, meaning that another standard was needed.

Usually this kind of thing gets an airing and is then consigned to the shelf, but not this time. Today the Cabinet Office announced that as part of the UK Cyber Security Strategy the idea from the BIS commissioned report will come to fruition.

It’s a laudable goal, to help companies to identify and tackle cyber risks, but I have some reservations about the efficacy of a kite-mark scheme for something that has so many facets. With car windows for instance I can understand how kite-marking makes sense. It is one item, that is required to do a few things within specific tolerances, and as a single unit can be tracked in its entirety throughout the manufacture and fitting stages of its life.

Lets see how that could apply to cyber security… erm… nope, can’t see it.

Maybe I’m missing the point, but when we talk about ecommerce security we really need to consider how the troublesome triptych of people, passwords and patching can be managed. Unless a kite-marked standard can define and cater for these I’m a not convinced it will be helpful, maybe the opposite in fact.