Home > Security News > Is the stick or the carrot best motivator for security?
Security News:
EMAIL THIS LICENSING & REPRINTS

Is the stick or the carrot best motivator for security?

By Edward Hurley, News Writer
20 Apr 2004 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

NEW YORK - Many people think the government's role in improving cybersecurity is imposing and enforcing regulations. But it can do a lot more positive reinforcement to encourage secure business practices, including serving as a trusted conduit for threat information.

Such was the message of Amit Yoran, director of the National Cyber Security Division at the Department of Homeland Security, yesterday. "We are not taking (regulation) off the table," he said yesterday at the Information Security Decisions conference. "But a combination of tough standards and incentive-based programs will foster better security more effectively."

Yoran makes an interesting point. Many would have the government use a stick to punish companies that aren't secure. There are already laws on the books such as the Health Insurance Portability and Accountability Act, which levies penalties for companies whose security is not up to snuff.

But what if the government rewarded companies for being secure or, at least, did things that would making being secure easier? SearchSecurity.com asked some conference attendees which is a better incentive.

"The problem is the government is not in the business of rewarding good behavior. It's much better at punishing bad behavior," said Jim Malcolm, a database manager for AT&T.

Other attendees said they would like the government to centrally manage the information it collects about threats. "I would like to see it centrally located at the Department of Homeland Security. There are still a bunch of parallel efforts," said Stephen Case, who works in an IT department for a U.S. bankruptcy court.

Case would also like to see more discussion and sharing of information among all security professionals in the government. "They only peripherally talk with each other now," he said.

David Olsen, a network administrator for ServiCom, would also see a central place for information for security professionals. The new US-CERT Web site is a good start. He thinks the government's role is to provide information but it is up to the industry to regulate itself. "A lot of government regulation takes a one size fits all approach. It would be difficult for a small business to implement measures geared towards enterprises and vice versa," he said.



Tags: Risk Assessment and AnalysisVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   




More Tips to Secure Your Network
Focused on Channel Security?
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts