New Cybersecurity Czar's Crazy Ideas Won't Fit In Washington
from the might-we-suggest-starting-at-the-VA? dept
CNET News.com has an interview with Greg Garcia, the new assistant secretary for cybersecurity and telecommunications in the Department of Homeland Defense -- the country's top cybersecurity official. Perhaps the most interesting part of the interview is where he discusses his plans to call on Congress to create some incentives for companies to invest in better security and training. There's a risk in creating incentives for this sort of thing, since many companies will just focus on creating solutions that comply in order to receive benefits, rather than ensuring something is actually secure. But the idea of creating incentives, or at least removing disincentives, generally makes sense -- perhaps too much sense to survive in Washington. If you consider how courts and governments respond to security breaches that expose people's personal information, it could almost be argued that companies have an incentive not to invest in better security, since they get let off the hook so easily, and when they do get in trouble, the penalties are such a slap on the wrist that it probably makes more sense just to accept them as a cost of doing business, rather than investing in security and changing procedures to avoid paying them in the future. It appears that this is what many companies do already. For instance, in the wake of the recent TJX data leak (which looks like it's the biggest credit-card leak ever), it was revealed that just 31% of retailers follow Visa's regulations on how credit-card info should be handled. But if they don't comply, and lose data, they're not the ones on the hook for fines -- the bank that processes their payments is liable -- so they hardly have any reason to follow the rules. And in any case, Visa assessed less than $5 million in fines last year, which isn't even a drop in the bucket to the banking or retail industry. The incentives in this area are badly misaligned; hopefully this new cybersecurity czar will be able to straighten them out.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
HIPAA and Sarbanes-Oxley
Iin this current business morale climate, companies must be forced by fear to go that complicated extra mile to protect the consumer - when there is not an obvious tangible reward or immediate PR benefits.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Leaks
[ link to this | view in chronology ]
Isn't that the 'trendy' thing to do now?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
1) I meant "standard ethical" not "standard ethnical"
2) Completely disregard my comment if you were being sarcastic. Sometimes I miss sarcasm in type :)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Patrick
Regulations like HIPAA (http://ezinearticles.com/?The-Modern-Medical-Office:--Balancing-Success,-Technology,-and-HIPAA& id=397130) are not a joke if they were to be carried out. The carrying out of the act itself in last years violations would have paid for the operating costs of the carrying out itself. Incentives should be provided but only in conjunction with following the compliance regulations.
[ link to this | view in chronology ]
Re: Systemic Security Management
We have a number of companies who 'get it' culturally. However, the majority still approach security from a technology orientation alone and are stuck in Level 1 and, thus, are highly vulnerable. So, our work continues...
Where did you learn about SSM?
Charlie Meister
Executive Director
ICIIP at USC
213-740-0980
[ link to this | view in chronology ]
Here's an incentive that can work - pass a strong law and start throwing violators in jail. Making the penalties severe and certain are all the incentives that are needed or desirable.
[ link to this | view in chronology ]