New Cybersecurity Czar's Crazy Ideas Won't Fit In Washington

from the might-we-suggest-starting-at-the-VA? dept

CNET News.com has an interview with Greg Garcia, the new assistant secretary for cybersecurity and telecommunications in the Department of Homeland Defense -- the country's top cybersecurity official. Perhaps the most interesting part of the interview is where he discusses his plans to call on Congress to create some incentives for companies to invest in better security and training. There's a risk in creating incentives for this sort of thing, since many companies will just focus on creating solutions that comply in order to receive benefits, rather than ensuring something is actually secure. But the idea of creating incentives, or at least removing disincentives, generally makes sense -- perhaps too much sense to survive in Washington. If you consider how courts and governments respond to security breaches that expose people's personal information, it could almost be argued that companies have an incentive not to invest in better security, since they get let off the hook so easily, and when they do get in trouble, the penalties are such a slap on the wrist that it probably makes more sense just to accept them as a cost of doing business, rather than investing in security and changing procedures to avoid paying them in the future. It appears that this is what many companies do already. For instance, in the wake of the recent TJX data leak (which looks like it's the biggest credit-card leak ever), it was revealed that just 31% of retailers follow Visa's regulations on how credit-card info should be handled. But if they don't comply, and lose data, they're not the ones on the hook for fines -- the bank that processes their payments is liable -- so they hardly have any reason to follow the rules. And in any case, Visa assessed less than $5 million in fines last year, which isn't even a drop in the bucket to the banking or retail industry. The incentives in this area are badly misaligned; hopefully this new cybersecurity czar will be able to straighten them out.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Search Engines WEB, Feb 21st, 2007 @ 5:32am

    HIPAA and Sarbanes-Oxley

    Analogies can be made to the causes for the creation of HIPAA and Sarbanes-Oxley.

    Iin this current business morale climate, companies must be forced by fear to go that complicated extra mile to protect the consumer - when there is not an obvious tangible reward or immediate PR benefits.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Evil_Bastard, Feb 21st, 2007 @ 5:41am

    Only the small/medium business owner is worried at this point. We've done many network/website/security assessments and it's always the little guy who is most afraid of breaking the PCI standards.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Sherman T. Potter, Feb 21st, 2007 @ 6:13am

    Leaks

    Aw, pony pucks!

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Overcast, Feb 21st, 2007 @ 6:38am

    Yeah!! Who need 'incentive' just make more senseless laws that take away people's rights!

    Isn't that the 'trendy' thing to do now?

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Spork, Feb 21st, 2007 @ 7:35am

    Re:

    Huh? Maybe I read the wrong article, but this didn't have anything to do with people's rights and everything to do with protecting your private data collected by companies during your normal business transactions. The incitive is to get businesses to actually keep a consumers info secure. If you're implying that it takes away from the business' rights, you're nuts. Standard ethnical business practice would dictate protecting your consumer's information.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Spork, Feb 21st, 2007 @ 7:38am

    Re: Re:

    Two things;

    1) I meant "standard ethical" not "standard ethnical"
    2) Completely disregard my comment if you were being sarcastic. Sometimes I miss sarcasm in type :)

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Patrick Mullen, Feb 21st, 2007 @ 8:56am

    I would say though that as long as the security officer of a company is the person responsible for the success and the failure of company databases, customer records and its network, companies would never solve the security issue. If security isn't the responsibility of every employee with ultimate responsibility residing in the office of CEO, then the game is already lost. What is needed is Systemic Security Management (SSM.) SSM describes an approach to security that encourages companies to make it an enterprise - wide focus, not just a functional responsibility. SSM is about the management of the "tension" points between people, process, technology and organization. The management issue is one of leadership that "does the right thing" and is not limited to the traditional confines of ROI. It is a management approach to security that goes well beyond the boundaries of the company to include not just people, process, technology and organization, but also partners, suppliers, customers and communities. SSM advocates that companies not just buy security, but also genuinely buys into security. Technology isn’t the only answer, and it can never solve the security issue. Companies need to stop jumping at the latest security vendor hype, need to stop just going out and buying the latest security “solution” and stop just reacting to the latest vulnerability. The govt. can play a part in either partnering with industry or regulating it. I think Greg Garcia is on the right track in trying to provide a carrot before he asks for the stick. Hopefully he will be successful.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Michael, Feb 21st, 2007 @ 10:25am

    Re: Patrick

    I agree that technology won't be the sole solution to the security problem. However, I think that without the latest technologies there is no way to stay ahead of the hackers. In addition to behavior training for employees, the software expected to use must be simple to understand. Otherwise integration into daily behavior will never occur.

    Regulations like HIPAA (http://ezinearticles.com/?The-Modern-Medical-Office:--Balancing-Success,-Technology,-and-HIPAA& id=397130) are not a joke if they were to be carried out. The carrying out of the act itself in last years violations would have paid for the operating costs of the carrying out itself. Incentives should be provided but only in conjunction with following the compliance regulations.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Feb 21st, 2007 @ 6:23pm

    Those who handle sensitive personal information (should or do) have a fiduciary responsibility to protect it. Why should the government pay them to do what they already have a responsibility to do.

    Here's an incentive that can work - pass a strong law and start throwing violators in jail. Making the penalties severe and certain are all the incentives that are needed or desirable.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Charles P. Meister, May 7th, 2007 @ 12:18pm

    Re: Systemic Security Management

    Of course, we think you are right on. We'd agree that Mr. Garcia's approach is a start. However, the best way to make security work is to make it a 'C' level initiative. The C suite will mandate SSM when they understand that it's about competitive advantage and brand survival.

    We have a number of companies who 'get it' culturally. However, the majority still approach security from a technology orientation alone and are stuck in Level 1 and, thus, are highly vulnerable. So, our work continues...

    Where did you learn about SSM?

    Charlie Meister
    Executive Director
    ICIIP at USC
    213-740-0980

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This