New Cybersecurity Czar's Crazy Ideas Won't Fit In Washington
from the might-we-suggest-starting-at-the-VA? dept
CNET News.com has an interview with Greg Garcia, the new assistant secretary for cybersecurity and telecommunications in the Department of Homeland Defense — the country’s top cybersecurity official. Perhaps the most interesting part of the interview is where he discusses his plans to call on Congress to create some incentives for companies to invest in better security and training. There’s a risk in creating incentives for this sort of thing, since many companies will just focus on creating solutions that comply in order to receive benefits, rather than ensuring something is actually secure. But the idea of creating incentives, or at least removing disincentives, generally makes sense — perhaps too much sense to survive in Washington. If you consider how courts and governments respond to security breaches that expose people’s personal information, it could almost be argued that companies have an incentive not to invest in better security, since they get let off the hook so easily, and when they do get in trouble, the penalties are such a slap on the wrist that it probably makes more sense just to accept them as a cost of doing business, rather than investing in security and changing procedures to avoid paying them in the future. It appears that this is what many companies do already. For instance, in the wake of the recent TJX data leak (which looks like it’s the biggest credit-card leak ever), it was revealed that just 31% of retailers follow Visa’s regulations on how credit-card info should be handled. But if they don’t comply, and lose data, they’re not the ones on the hook for fines — the bank that processes their payments is liable — so they hardly have any reason to follow the rules. And in any case, Visa assessed less than $5 million in fines last year, which isn’t even a drop in the bucket to the banking or retail industry. The incentives in this area are badly misaligned; hopefully this new cybersecurity czar will be able to straighten them out.
Comments on “New Cybersecurity Czar's Crazy Ideas Won't Fit In Washington”
HIPAA and Sarbanes-Oxley
Analogies can be made to the causes for the creation of HIPAA and Sarbanes-Oxley.
Iin this current business morale climate, companies must be forced by fear to go that complicated extra mile to protect the consumer – when there is not an obvious tangible reward or immediate PR benefits.
Only the small/medium business owner is worried at this point. We’ve done many network/website/security assessments and it’s always the little guy who is most afraid of breaking the PCI standards.
Leaks
Aw, pony pucks!
Yeah!! Who need ‘incentive’ just make more senseless laws that take away people’s rights!
Isn’t that the ‘trendy’ thing to do now?
Re: Re:
Huh? Maybe I read the wrong article, but this didn’t have anything to do with people’s rights and everything to do with protecting your private data collected by companies during your normal business transactions. The incitive is to get businesses to actually keep a consumers info secure. If you’re implying that it takes away from the business’ rights, you’re nuts. Standard ethnical business practice would dictate protecting your consumer’s information.
Re: Re: Re:
Two things;
1) I meant “standard ethical” not “standard ethnical”
2) Completely disregard my comment if you were being sarcastic. Sometimes I miss sarcasm in type 🙂
I would say though that as long as the security officer of a company is the person responsible for the success and the failure of company databases, customer records and its network, companies would never solve the security issue. If security isn’t the responsibility of every employee with ultimate responsibility residing in the office of CEO, then the game is already lost. What is needed is Systemic Security Management (SSM.) SSM describes an approach to security that encourages companies to make it an enterprise – wide focus, not just a functional responsibility. SSM is about the management of the “tension” points between people, process, technology and organization. The management issue is one of leadership that “does the right thing” and is not limited to the traditional confines of ROI. It is a management approach to security that goes well beyond the boundaries of the company to include not just people, process, technology and organization, but also partners, suppliers, customers and communities. SSM advocates that companies not just buy security, but also genuinely buys into security. Technology isn’t the only answer, and it can never solve the security issue. Companies need to stop jumping at the latest security vendor hype, need to stop just going out and buying the latest security “solution” and stop just reacting to the latest vulnerability. The govt. can play a part in either partnering with industry or regulating it. I think Greg Garcia is on the right track in trying to provide a carrot before he asks for the stick. Hopefully he will be successful.
Re: Patrick
I agree that technology won’t be the sole solution to the security problem. However, I think that without the latest technologies there is no way to stay ahead of the hackers. In addition to behavior training for employees, the software expected to use must be simple to understand. Otherwise integration into daily behavior will never occur.
Regulations like HIPAA (http://ezinearticles.com/?The-Modern-Medical-Office:–Balancing-Success,-Technology,-and-HIPAA&id=397130) are not a joke if they were to be carried out. The carrying out of the act itself in last years violations would have paid for the operating costs of the carrying out itself. Incentives should be provided but only in conjunction with following the compliance regulations.
Re: Systemic Security Management
Of course, we think you are right on. We’d agree that Mr. Garcia’s approach is a start. However, the best way to make security work is to make it a ‘C’ level initiative. The C suite will mandate SSM when they understand that it’s about competitive advantage and brand survival.
We have a number of companies who ‘get it’ culturally. However, the majority still approach security from a technology orientation alone and are stuck in Level 1 and, thus, are highly vulnerable. So, our work continues…
Where did you learn about SSM?
Charlie Meister
Executive Director
ICIIP at USC
213-740-0980
Those who handle sensitive personal information (should or do) have a fiduciary responsibility to protect it. Why should the government pay them to do what they already have a responsibility to do.
Here’s an incentive that can work – pass a strong law and start throwing violators in jail. Making the penalties severe and certain are all the incentives that are needed or desirable.