A First Look at Governments' Enterprise Security Guidance
Kimberly Ruth
34th USENIX Security Symposium (USENIX Security '25) · Day 1 · Social Issues and Usable Security and Privacy
In an increasingly complex and interconnected digital landscape, organizations of all sizes frequently seek authoritative guidance on best practices for cybersecurity. Governments, often perceived as impartial and reliable sources, have stepped into this critical role, with agencies like the US's **Cybersecurity and Infrastructure Security Agency (CISA)** and the UK's **National Cyber Security Centre (NCSC)** publishing extensive resources. This talk, presented by Kimberly Ruth, a PhD student at Stanford, delves into a comprehensive analysis of this governmental enterprise security guidance, examining its scope, content, and consistency across nations.
AI review
Rigorous empirical work that most practitioners have never thought to do: actually read what governments are telling companies to do, across 41 countries, and measure whether any of it agrees. The finding that Five Eyes allies share only 13% of their 'essential' controls is genuinely embarrassing to the agencies involved and useful to everyone downstream of their guidance.