New Cybersecurity Czar's Crazy Ideas Won't Fit In Washington

from the might-we-suggest-starting-at-the-VA? dept

CNET has an interview with Greg Garcia, the new assistant secretary for cybersecurity and telecommunications in the Department of Homeland Defense — the country’s top cybersecurity official. Perhaps the most interesting part of the interview is where he discusses his plans to call on Congress to create some incentives for companies to invest in better security and training. There’s a risk in creating incentives for this sort of thing, since many companies will just focus on creating solutions that comply in order to receive benefits, rather than ensuring something is actually secure. But the idea of creating incentives, or at least removing disincentives, generally makes sense — perhaps too much sense to survive in Washington. If you consider how courts and governments respond to security breaches that expose people’s personal information, it could almost be argued that companies have an incentive not to invest in better security, since they get let off the hook so easily, and when they do get in trouble, the penalties are such a slap on the wrist that it probably makes more sense just to accept them as a cost of doing business, rather than investing in security and changing procedures to avoid paying them in the future. It appears that this is what many companies do already. For instance, in the wake of the recent TJX data leak (which looks like it’s the biggest credit-card leak ever), it was revealed that just 31% of retailers follow Visa’s regulations on how credit-card info should be handled. But if they don’t comply, and lose data, they’re not the ones on the hook for fines — the bank that processes their payments is liable — so they hardly have any reason to follow the rules. And in any case, Visa assessed less than $5 million in fines last year, which isn’t even a drop in the bucket to the banking or retail industry. The incentives in this area are badly misaligned; hopefully this new cybersecurity czar will be able to straighten them out.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “New Cybersecurity Czar's Crazy Ideas Won't Fit In Washington”

Subscribe: RSS Leave a comment
Spork says:

Re: Re:

Huh? Maybe I read the wrong article, but this didn’t have anything to do with people’s rights and everything to do with protecting your private data collected by companies during your normal business transactions. The incitive is to get businesses to actually keep a consumers info secure. If you’re implying that it takes away from the business’ rights, you’re nuts. Standard ethnical business practice would dictate protecting your consumer’s information.

Patrick Mullen says:

I would say though that as long as the security officer of a company is the person responsible for the success and the failure of company databases, customer records and its network, companies would never solve the security issue. If security isn’t the responsibility of every employee with ultimate responsibility residing in the office of CEO, then the game is already lost. What is needed is Systemic Security Management (SSM.) SSM describes an approach to security that encourages companies to make it an enterprise – wide focus, not just a functional responsibility. SSM is about the management of the “tension” points between people, process, technology and organization. The management issue is one of leadership that “does the right thing” and is not limited to the traditional confines of ROI. It is a management approach to security that goes well beyond the boundaries of the company to include not just people, process, technology and organization, but also partners, suppliers, customers and communities. SSM advocates that companies not just buy security, but also genuinely buys into security. Technology isn’t the only answer, and it can never solve the security issue. Companies need to stop jumping at the latest security vendor hype, need to stop just going out and buying the latest security “solution” and stop just reacting to the latest vulnerability. The govt. can play a part in either partnering with industry or regulating it. I think Greg Garcia is on the right track in trying to provide a carrot before he asks for the stick. Hopefully he will be successful.

Michael (user link) says:

Re: Patrick

I agree that technology won’t be the sole solution to the security problem. However, I think that without the latest technologies there is no way to stay ahead of the hackers. In addition to behavior training for employees, the software expected to use must be simple to understand. Otherwise integration into daily behavior will never occur.

Regulations like HIPAA (–Balancing-Success,-Technology,-and-HIPAA&id=397130) are not a joke if they were to be carried out. The carrying out of the act itself in last years violations would have paid for the operating costs of the carrying out itself. Incentives should be provided but only in conjunction with following the compliance regulations.

Charles P. Meister says:

Re: Systemic Security Management

Of course, we think you are right on. We’d agree that Mr. Garcia’s approach is a start. However, the best way to make security work is to make it a ‘C’ level initiative. The C suite will mandate SSM when they understand that it’s about competitive advantage and brand survival.

We have a number of companies who ‘get it’ culturally. However, the majority still approach security from a technology orientation alone and are stuck in Level 1 and, thus, are highly vulnerable. So, our work continues…

Where did you learn about SSM?

Charlie Meister
Executive Director

Anonymous Coward says:

Those who handle sensitive personal information (should or do) have a fiduciary responsibility to protect it. Why should the government pay them to do what they already have a responsibility to do.

Here’s an incentive that can work – pass a strong law and start throwing violators in jail. Making the penalties severe and certain are all the incentives that are needed or desirable.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...