This article can also be found in the Premium Editorial Download "Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions."
Download it now to read this article plus other related content.
CounterPoint Regulations are a good idea, but they need to have teeth—serious consequences for noncompliance, not just cheerful slaps on the wrist. Every year the Department of Whatever gets written up with a D- in FISMA compliance, but someone quickly points out that D- is a huge improvement over last year's F.
I guess we're supposed to be impressed taxpayer dollars are achieving marginal improvement, but I'm not. The idea of regulation is to establish a minimum consistent practice. I'm sorry if I sound like a hard case, but "attaboys" should not be handed out for compliance with a remedial baseline. This isn't a politically correct feel-good game in which every child wins a prize. Agencies are spending serious dollars, and moving from an F to a D- is not evidence of accomplishment; it is evidence of incompetence, mismanagement and waste.
Moving toward liability is attractive. But you can't train an animal by punishing it into doing the right thing. Holding companies, agencies and individuals liable is simply punishing them; you need a specification of that minimal baseline you can communicate effectively.
Unfortunately, that baseline may be going lower. One of the clouds on the infosecurity horizon is the idea that the already watered-down FISMA, Sarbanes-Oxley and HIPAA are likely to get more watered down. One IT executive opined that it would have been a successful strategy to ignore HIPAA
On the federal side, when the message to agency IT managers and executives is "Comply, or we'll, um, tell you to comply some more!" you can see why the entire regulatory exercise has resulted in a toothless, clawless paper tiger.
I'm in favor of federal IT regulation. In fact, I'd love to help write some. Unfortunately, mine would make people cry with rules like: "If your agency has to admit that 10-plus terabytes of data has left your network headed for China, and you just noticed, every manager in your IT organization from the CIO down gets a pink slip." I know, nobody ever gets fired from a government job—no matter how incompetent—but maybe that has something to do with why things are such a mess. We need federal IT security regulation that reads as if it were written by Napoleon Bonaparte and enforced by Vlad the Impaler, not "What, me worry?" Alfred E. Neuman.
The balancing point between regulation and liability is the one place I disagree most with Bruce: Regulation is about economics, but so is liability. The problem with adopting an economic perspective on security is that it encourages people to believe there are trade-offs where, perhaps, none exist.
Allowing security to be driven by liability means you've still turned it into an economic problem, only the economics are under the control of lawyers and liability quants. None of the folks who want to approach security as an economic problem get it—intelligence warfare presents costs that may not be measurable, or may be measurable only in a generational scale through the fall of a republic. You just can't put a price tag on that.
My feelings about federal security regulation mirror Gandhi's famous comment regarding western civilization: "I think it would be a good idea." But, please, let's make sure the regulations we enact have sharp teeth.
Please send your comments on this column to email@example.com
Coming in January: Does secrecy help protect personal information?
This was first published in November 2006