The big problem comes from the resources and people who are supposed to be working the program in the event of an incident. “With physical incident response/disaster recovery, these people have emergency roles which they assume in the event of a storm, or a major component failure, or a squirrel. But when it comes to the digital incident response/disaster recovery plan these people, who are supposed to be working the program in the event of an incident, often don't know their roles," Grimes adds.
It's not all bad, but more can be done
As mentioned earlier, despite the problems he outlined, CIP overall works, and the facilities that are bound by it are better because of it. However, the lesson is that compliance isn't security, and in some cases, it isn't even a good baseline. Developing an honest threat model, and understanding the real risks the organization faces will go a long way toward a solid security baseline than any compliance measure.
Sign up for CIO Asia eNewsletters.