Langner and Weiss also agreed on the ineffectiveness of the CSF proposal letting organizations choose the level of cybersecurity they want to achieve. Allowing a critical infrastructure provider to set its own goals means an organization could choose a level of zero, and "still be conformant with the CSF," Langner said.
"The CSF allows any organization, no matter how good or bad at cybersecurity, to be CSF-conformant," he said. "It makes everybody happy. Everybody, including potential attackers."
NIST is expected to publish the final CSF in February.
Sign up for CIO Asia eNewsletters.