Information security laws: Are they worth it for your organization?

Who wants the government's help? Who wants to be left alone? Are information security laws worth it for your organization?

This article can also be found in the Premium Editorial Download: Information Security: Negative exposure: Web scanners reveal unknown holes

An individual's opinion of proposed regulations is motivated by several hard-to-quantify factors. However, two groups -- those who either strongly support or strongly oppose security laws -- exhibit clear-cut organizational tendencies.

Security professionals who feel infosecurity laws will make security at their organization "much better" exhibit the following characteristics:

  • High number of users.
  • High ratio of users to full-time security staff.
  • Low number of reported incidents.

These characteristics exemplify an underfunded and overwhelmed security department. Security staff is feeling pinched on all sides. They're responsible for more users than their counterparts at many other companies, and the reason they report fewer incidents is because they don't have adequate resources or time to monitor and detect them.

They are searching for answers beyond what they feel their organization is willing or able to provide. In short, they support the prospect of stringent government security regulations because anything's better than the status quo.

They feel that getting help from the government can only help them, even if it's the lesser of many evils.

On the other hand, security professionals who strongly oppose infosecurity laws work at organizations with these characteristics:

  • Small organization with a low number of users.
  • Low ratio of users to full-time security staff.
  • High number of reported incidents.
  • Well-funded security departments.

Survey statistics show that smaller organizations spend more money per user and per machine for security than larger organizations. They also spend a higher percentage of their IT budgets on security than do larger organizations.

These organizations report the highest number of security incidents because they have the resources and manpower to monitor their networks and servers. In short, they don't feel they need the government's help, because they're doing just fine on their own. While security is never easy, they feel they've got adequate budget and headcount to address the challenges without government interference. For them, further regulations will only divert attention and resources away from current security efforts.

About the author:
Andrew Briney is editor-in-chief of Information Security.

Dig Deeper on Risk assessments, metrics and frameworks

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Creating security laws will not help either of these businesses they will only hinder them. If a business needs more security they should hire out.