Whilst completing his review of automotive cybersecurity standards, David Rogers of Copper Horse tipped me off to the inconsistent and sometimes exorbitant prices charged to obtain industry standards covering subjects like cybersecurity and safety. As Rogers put it in a subsequent blog:
…most cost savings should be baked into the final price, so it is bizarre to see such large differences for what are identical documents delivered digitally.
One of the world’s best-known standards illustrates how idiosyncratic pricing can be.
…in the last, and possibly most curious, of our examples we considered ISO 9001. The widely deployed requirements for quality management systems could be purchased for EURO 33.49 (GBP 27.8) from the Estonian Centre for Standardisation and Accreditation (EVS), CHF 138 (GBP 110.5) directly from the ISO shop or for GBP 155 (or GPB 77.5 with a member discount) from BSI.
Standards bodies need money to function. But if there was a standard for consistent pricing then many of them would fail to comply. We live in an era when most publications are delivered online so it is difficult to argue wildly different prices reflect practical obstacles to distribution. Standards are a form of taxation on businesses that want or need to comply with them. In general, we should all want businesses to follow standards that are meant to protect people from harm. Most of the input to such standards is given free of charge by contributors, which leads to further questions about the margins generated by each sale and how the surplus generated is used to manage overheads.
David has more patience with standards-settings bodies than I do. My background as an accountant meant my first exposure to standards came in the form of financial reporting standards. Access to this kind of content is priced sensibly when not given for free, as we should expect when all sorts of organizations, both large and small, are meant to respect and follow the standards. However, it is difficult to think of examples of anyone dying because accounting standards were not followed correctly. David’s research concerned motor vehicles, which are objects that are inherently dangerous if they fail or are misused. How much do we want to create barriers to following standards that seek to ensure cars cannot be hacked and that passengers survive accidents?
Many years ago I wasted my time trying to negotiate a deal between two separate standards-settings bodies because a great deal of trouble would be caused by them inconsistently defining the word ‘risk’ and all its associated concepts. I tried, and tried, and tried, to at least ensure some simple basics were consistent by permitting one standard-setting body to grant visibility of its output to the other. The larger body, which is not specific to telcoms, was willing to talk. The smaller one, which is specific to telecoms, was not even prepared to listen. One of the worst and most idiotic problems in risk management is that people routinely insist on talking at cross-purposes because they each insist their definition of the word is superior. But despite my efforts, two supposedly sensible global organizations could not be made to harmonize their approach, so they produced rival standards relating to enterprise risk management (ERM) and all other forms of risk management that sit underneath ERM’s umbrella. Such intransigence has helped to ensure that ERM remains the ill-respected and chaotic mess it is today, especially for telcos.
The younger version of me was more idealistic; now I appreciate you have to shove money into pockets to motivate some people. But as David eloquently points out, there are reasons why we should demand high standards of behavior from the standards-setters.
Whatever cost model is used, if the net effect is restricting the readability of standards — it is a negative outcome for humanity. Transparency of standards is crucial in ensuring the quality of what is being produced and ensuring that they can be widely scrutinised. Standards bodies that do not make their documentation outputs freely available suffer from the fact that no-one can evaluate whether a standard is well-written, useful or even applicable. This can create a situation where regulators and industry all endorse a standard ‘in name’, without ever having read it. The ultimate outcome of this is poor for everyone. It wastes economic activity around the world and potentially ruins burgeoning startups through to mature businesses. In the cyber security world it has greater implications – it could make the world less secure, but we’ll save that topic for another day.
