Standardization of cybersecurity for critical infrastructures

This chapter discusses how sensemaking and translation processes can affect the use of standards, and the role these processes can play in relation to standardization of cybersecurity for critical infrastructures. The concept of standardization is often understood as ‘everyone doing things in the same way’. However, global or international standards need to be translated into situated (local context) practices. Information systems security (ISS) and cybersecurity standards are universal and general in their scope and provide little guidance to the organizations that wish to adopt them. The people carrying out the translation of the standards can come from very different organizational contexts, and these different contexts will affect the outcome of the translation. They will try to individually and collectively make sense of the content of the standards, and the standards will be adapted and made to fit their real-life context. If we acknowledge that standards are more an opportunity for interpretation and sensemaking, then creating international and global standards can be an opportunity to share expert advice and good practices to increase cybersecurity, rather than to make ‘everyone doing things in the same way’.