- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
My Concerns with CyberSecurity Legislation – no teeth, paper audits, and “security” auditors
The biggest issue I have with the CyberSecurity legislation that's being put forth in Congress these days is three-fold:
- It has no teeth. It is just more policy with no accountability or meaningful penalties for non-compliance
- It consists of paper audits -- more of the same useless audits
- The auditors would not be CyberSecurity experts. This last one is insane.
This nation's critical infrastructure (power grid, water supply, oil & gas refineries, etc.) are run and managed by IT systems and software applications. These systems and applications were not built with security in mind and can only be tested and measured by IT security tools in the hands of experts. Beyond our critical infrastructure, we also have thousands of IT systems and software applications managing sensitive data -- military secrets, privacy information, our wired and wireless communication systems, and more. Many of these systems are built and managed by large government system integrators.
Until we have IT-based policy, coupled with IT-based controls, automated monitoring, and real penalties for non-compliance (which means financial) we will continue to fail when it comes to CyberSecurity protection. And we are failing, make no mistake about that. 2011 had more publicly-reported data breaches than any year prior. Having spent 10 years working for various government agencies before moving to the private sector, I can tell you that the only difference between 2011 and prior years is the "public" part of those breaches -- they've been happening for years to government agencies, systems integrators, and the private sector, but most were not reported publicly.
Representative Jim Langevin of Rhode Island introduced a cybersecurity bill to Congress last March. There are four major features I like about this bill:
- It would give DHS the authority to compel private firms deemed part of the critical infrastructure to comply with federal security standards
- The standards are based on the recommendations of cyber experts with first hand knowledge of the reality of the challenges facing each industry
- The mandated audits include IT security products that will test and monitor the systems and applications for security holes, and most importantly imo
- Carries financial penalties for sub-standard audit results. This includes ALL organizations in-scope, whether they are federal agencies, systems integrators, or private sector. If you're part of what is deemed "critical infrastructure" you must comply
Unfortunately for Rep. Langevin's bill, lobbying and political pressures have stalled it -- probably because it includes measurable accountability and, for the first time in our history, insightful, practical policy for CyberSecuity defense.
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- Continuous Monitoring and Mitigation -- the New InfoSec Frontier
- RSA Security Analytics Case Study
- VMware Cloud Credits Program
- Insights from the 2013 IBM Chief Information Security Officer Assessment
- Cloud-based Cyber Security: A Hybrid Approach to Threat Detection and DDoS Mitigation IDC Technology Spotlight
- How Identity and Access Intelligence Will Revolutionize IAM
- Leveraging Managed Security Services to Fight Growing Cybersecurity Threats
- Global IT Trends: IT Outsourcing Fuels Business Growth
- Defending Against Increasingly Sophisticated Cyber Attacks
- Rethinking Your Enterprise Security - Critical Priorities to Consider