Feature By Laura Wilson, JD, CISA Candidate, ISR Corporate Liability Editor
Security expert Bill Brenner of CIO.com writes about the recently-released CSIS report and asks whether the Department of Homeland Security should have primary responsibility for our cybersecurity.
Brenner quotes the CSIS call for increased regulation:
"Last week, a group of outside experts recommended cybersecurity be moved from DHS -- which "isn't equipped to protect the federal government against cyberattacks" -- to an office within the Obama White House. Many members of the Commission on Cyber Security for the 44th Presidency "felt that leaving any cyber function at DHS would doom that function to failure," according to its recently-released 96-page report."
"The commission also wants new government regulations to protect computer networks in the U.S. Such regulations would call for readjusting government efforts to defend its own infrastructure, but regulations for private industry are also needed, the report said."
We want to caution against the assumption that new regulation is required before more work can be done on data security, and point out to security advocates that we already have many tools in our regulatory and legal kit required to begin making changes.
We do need new regulations regarding the fiduciary obligation of companies, and the individuals within those companies, to protect the sensitive data that they hold in trust.
There is much agreement on that point.
For certain industries such as the financial industry, we don't need to wait for new regulations to enforce that responsibility, and to hold companies and individuals liable when they willfully or negligently bypass the protections that are promised to consumers, shareholders, and regulators.
There are tools on the books now, including Sarbanes-Oxley, that we can use to hold financial companies responsible for how they handle that data. The financial industry has long understood and acknowledged the importance of information security. If you know the questions to ask, you can find that the companies themselves are well aware of their obligations, and exactly where their security train fell off the infosec rails.
Now we need to educate information security stakeholders, including the in-house control teams, the many outside plaintiffs attorneys and privacy advocates that are circling in the skies, and the regulatory enforcers, on how these problems occur, even in companies that spend hundreds of millions of shareholder dollars on trying to limit their risk.
We need to teach the many security stakeholders how these unnoticed gaps happen, how to find them, and how to fix them. Shining the light of accountability on these control bypasses will automatically go a long way to fixing this lapse.
I have worked in the financial industry, managing infosec deals for several of the largest international players. I have also been senior attorney and corporate governance issue-spotter for companies that access protected information. My colleague Kevin M. Nixon is an internationally-recognized information security expert, and was instrumental in writing many of the standards that cover the financial industry.
We are educating stakeholders, privacy advocates, and proactive companies about common gaps in the Business-As-Usual system, and how to remedy those gaps while keeping business running. (Obviously, we do this commercially. But for government and appropriate non-commercial purposes, we will volunteer, again).
It's vital that everyone concerned with protecting sensitive information, shareholder value and national security know that many of these infosec gaps are readily found and fixed. We have to talk about the problem, and about workable solutions - otherwise, the companies just keep yelping that they're trying really hard, but they just can't put the gas tank anywhere except in the back of the Pinto.
There is no excuse for any financial company not adhering to the core requirements of information security. We may not be able to prevent every earthquake, but we can damn sure get our buildings up to code.
This message needs to be brought home to every person in the financial industry. And we don't have to wait for new regulations to do it.
By Laura Wilson, Information-Security-Resources.com Corporate Liability Editor. Laura is a business consultant and an advocate for information security, consumer protection, long-term shareholder value, and better management decisions. Her specialty is finding and fixing risks and threats to sensitive data. Her experience includes international banking, credit card, and mortgage companies, venture capital portfolio companies, and software and technology providers.
Click the XML Icon Above to Receive Security Articles Via RSS!
