Is Regulation Inevitable for Enterprise Security? - Page 2
Herrod, along with security experts such as Darwin John, the former chief information officer of the Federal Bureau of Investigation, see more regulation as inevitable. Why? Corporations arent going to voluntarily adopt best practices and revamp security systems when the returns on investment are murky. At Fannie Mae, Herrod helped ensure that the mortgage company matched its business partners compliance with the Gramm-Leach-Bliley Act of 1999, which requires financial data privacy. At GlaxoSmithKline, her projects revolved around compliance with Food and Drug Administration rules. "The only reason I got any money to implement was regulation," Herrod says. Putnams effort is the latest to beef up the nations cybersecurity. President Clinton issued a directive on information security in 1998, outlining basic requirements such as antivirus protection and authentification. President Bush followed up with a plan that urged a public-private partnership to secure the Internet. That plan, penned in 2003 by Richard Clarke, former special advisor to the president for cyberspace security, has had little impact so far.Despite the lack of success from the governments previous plans, security experts are taking Putnams legislation push seriously because Congress was able to pass FISMA two years ago. Why not expand a cybersecurity edict to the private sector? "Ultimately the government is going to have to stand up and have clear requirements," says AMR analyst Lance Travis, adding that the private sector is unlikely to follow information best practices in unison because of costs. Clarke says he doesnt favor additional regulation to govern cybersecurity, but would like current mandates to be more specific on information security. He also advocates a series of stepsavoid software vendors with insecure applications, require two-factor authentication, benchmark the security of applications, diversify software vendors, and so onthat both the public and private sectors can take. In any case, the clock is ticking. Recent cyber-attacks will only get worse unless the public and private sectors cooperate to beef up information security. One problem: Companies dont consider their networks part of the national infrastructure. Since all networks are interconnected, however, technology executives need to realize that their corporate networks could easily become a staging area for a cyberterrorism attack. "What we see today is the tip of the iceberg of what could happen if a terrorist set out to do something," says Clarke. "As long as [an attack] is possible, you run the risk that somebody will do something more significant." Next Page: What you can do today to get ahead of a cybersecurity regulation.
Meanwhile, cybersecurity is getting worse. In the last six weeks, source code from Cisco Systems was leaked on the Internet, the Sasser worm wreaked havoc on corporate systems and Gartner reported that consumers lost $1.2 billion in 2003 due to "phishing attacks."