Taxing Concept? Rewarding Security Winners

By Matthew Hines  |  Posted 2009-03-04 Print this article Print

We've been threatening to punish organizations that mishandle sensitive electronic data and allow attackers to infiltrate their systems to steal consumer records for years, but here's an interesting new idea - how about rewarding those companies who go above and beyond the norm in doing a good job with data security - with tax breaks?

I assume that I'll see pigs fly long before we ever see it actually happen, but you never know what crazy ideas those folks down in DC might glom onto.

In this case, Pat Clawson, CEO of security vendor, Lumension, gets the credit since he proposed the unique takeoff on how the U.S. government might actually be able to incent organizations to work harder to improve their IT defenses.

The current system of compliance audits and fines has only encouraged organizations to do responsive "check box" remediation that meets the terms of mandates including PCI and HIPAA, the CEO argues.

By offering tax breaks and/or credits to companies that can demonstrate that they've done a superior job of protecting their assets from attack, we might see a more pragmatic response among organizations that control sensitive data, he said, though Clawson doesn't go as so far as to suggest any manner of measuring such efforts.

"We've already tried the stick--regulatory requirements such as Sarbanes-Oxley and IPAA have given basic security ultimatums to companies around the country. Sadly, though, regulations don't always guarantee security and they often have unintended consequence. Years of experience are starting to show that when it comes to the compliance with these well-meaning regulations, companies are following the letter of the law rather than the spirit of the law," Clawson wrote in a blog on his company's Web site.

"This is why we must now introduce a carrot," he said. "We need to find a way to encourage businesses to improve their security practices--without imposing additional cumbersome regulations that will not substantially improve our nation's security posture. I believe the answer is to institute tax benefits that give businesses tax credits for making security improvements above and beyond government or industry compliance mandates."

So obviously the idea is promoting positive reinforcement, versus negative reinforcement in the form of fines.

Personally, I'd like to think it'd work better to pay people who do well instead of punishing those who don't, but all we know how those propositions typically go. We don't see many compliance rewards being offered out there in the private sector, that's for sure.

One of the biggest advantages of such a plan would be that it might create incentives for organizations to invest in new security technologies that they might have otherwise passed on, suggests the CEO, though it's easy to guess just whose products he thinks people might want to spend their refunds on - especially since he suggests automated security patch remediation tools like those that his company markets.

"Take a company impacted by the Payment Card Industry Data Security Standard (PCI DSS), for example," he writes. "One of the requirements is that the business installs a software patch within 30-60 days of its release from the vendor. That's all well and good--a definite advance over not installing the patch at all. But the company would be most secure if it installed automated patch remediation that provided a way to install the patch within hours of its release. Under my proposal, such a measure would make the company eligible for tax credit."

Again, not a surprising suggestion when you consider the source, which previously went by the name PatchLink, but technological allegiances aside, you do have to wonder if it might work. Would companies actually invest the rewards they are paid in the form of tax breaks into better security controls?

Now, not even this here dyed-in-the-wool blue state borne Democrat would ever expect that Mr. Obama might go so far as to cut taxes for big businesses for doing something they should already be doing on their own. As much as it makes sense to those of us in the business, I'd be curious to know what the public might say. I'm pretty sure that it wouldn't be "let them eat cake."

But, positive reinforcement in regards to something related to IT security... is a pretty interesting idea.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel