One reason new ideas, concepts, and methodologies fail is they take too long to try and get early wins. I think CIE is in danger of becoming a well-documented, good comprehensive methodology, and ultimately failed approach to a problem.
This is not an argument against anything in CIE, or the related CCE, although I could point out parts that are not worth the time or cost. It’s about losing its moment in time when it had some mindshare and momentum.
There are not many greenfield, and even fewer brownfield, sites that will allocate the time and money to do CIE. I have experienced asset owners who will use some of the high consequence identification and mitigation principles in CIE and achieved large OT cyber risk reduction in days or weeks. These success stories weren’t called CIE, but they could have been called CIE Lite or Minimal Viable CIE or CIE Jumpstart.
As CIE’s lifetime comes close to expiration, charge up the defibrillator and create:
- a methodology that can be done in one person-month or less,
- something that only requires skills the asset owner has,
- create quantity and diversity of content that instructs and aids the asset owner in doing this,
- and come up with a simple to understand name
- and promote it
And it can’t be promoted as you should do the full CIE, but if you can’t … It has to be positively promoted. Do this, and you will see massive risk reduction.
Working within limitations, like one person-month, is hard. It won’t result in the complete or best solution. Yet most innovations and success stories have come out of environments with difficult limitations.
The CIE gurus know what could and should be done in a one person-month program. I’ve had discussions with some of them on this, and there are papers that come close to addressing this.
I believe the US will need to lead the way on this. Globally CIE has not been a serious consideration. In Europe, if a US program ever stood a chance there, it has lost to the regulatory requirements of CRA and NIS2. It will have to be proven in the US, and soon, to avoid being another worthy effort that couldn’t get mindshare or budget.