News Stay informed about the latest enterprise technology news and product updates.

Is the stick or the carrot best motivator for security?

Conference goers weigh which government incentive is more effective in moving companies towards more secure networks and systems.

NEW YORK - Many people think the government's role in improving cybersecurity is imposing and enforcing regulations....

But it can do a lot more positive reinforcement to encourage secure business practices, including serving as a trusted conduit for threat information.

Such was the message of Amit Yoran, director of the National Cyber Security Division at the Department of Homeland Security, yesterday. "We are not taking (regulation) off the table," he said yesterday at the Information Security Decisions conference. "But a combination of tough standards and incentive-based programs will foster better security more effectively."

Yoran makes an interesting point. Many would have the government use a stick to punish companies that aren't secure. There are already laws on the books such as the Health Insurance Portability and Accountability Act, which levies penalties for companies whose security is not up to snuff.

But what if the government rewarded companies for being secure or, at least, did things that would making being secure easier? asked some conference attendees which is a better incentive.

"The problem is the government is not in the business of rewarding good behavior. It's much better at punishing bad behavior," said Jim Malcolm, a database manager for AT&T.

Other attendees said they would like the government to centrally manage the information it collects about threats. "I would like to see it centrally located at the Department of Homeland Security. There are still a bunch of parallel efforts," said Stephen Case, who works in an IT department for a U.S. bankruptcy court.

Case would also like to see more discussion and sharing of information among all security professionals in the government. "They only peripherally talk with each other now," he said.

David Olsen, a network administrator for ServiCom, would also see a central place for information for security professionals. The new US-CERT Web site is a good start. He thinks the government's role is to provide information but it is up to the industry to regulate itself. "A lot of government regulation takes a one size fits all approach. It would be difficult for a small business to implement measures geared towards enterprises and vice versa," he said.

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.