A survey of critical infrastructure companies by Enterprise Strategy Group reported that the companies with the most industry regulations to address tended to have better security practices, something that did not strike me as all that surprising. What did strike me as somewhat surprising, though, is some of the things people agreed the government should do in regards to cyber-security.
According to the survey (PDF) - which fielded answers from a total of 285 security pros in industries such as food and agriculture, defense and information technology - 39 percent said the government should "enact more stringent cyber-security legislation along the lines of PCI." Thirty-two percent believed the government should create legislation with higher data breach fines.
"My guess is that they want to codify a set of strict requirements and controls into a single universal regulation," said Jon Oltsik, an analyst with Enterprise Strategy Group. "Remember too that these organizations do electronic business with less secure firms that could compromise their security as well. The current landscape is made up of security 'haves' and 'have nots' which makes us all less secure."
In his testimony before the U.S. Senate committee on Homeland Security and Government Affairs Nov. 17, Mark Assante, president and CEO of the National Board of Information Security Examiners, said new regulations are needed to provide risk-based performance requirements that discouraged what he called a "predictable and static defense." On the one hand, regulations can serve as a solid baseline for security; on the other, they can serve as false indicators if security is reduced to filling out a compliance checklist.
The call for better regulation was loudest among businesses that are already heavily regulated. Fifty-seven percent of companies dealing with three compliance regulations or more said they wanted more stringent cyber-legislation compared to 31 percent of those that must meet less than three compliance mandates. The discrepancy was similar in the area of data breach fines, with 44 percent of those with three or more compliance mandates saying fines need to be higher compared to 26 percent of those with less than three.
What all this shows, Oltsik said, is that businesses know what is working and what is not.
What do you think?