As cyber-security problems worsen, theres been an increase in the chatter in the security community calling for the government to step in and help stem the tide of viruses, worms and hackers. The common response from businesses, software vendors and industry groups has been that the government should stay out.
As Ive said before, much of the blame for security problems goes to virus writers and hackers, as well as to the software companies that fail to write secure code. Ive also often stated my opposition to any form of government intervention in IT issues, so the argument that the government should keep its nose out of the security problem does resonate with me.
However, when I look at how businesses and technology vendors have been "improving" security, I cant say I like what I see.
I do like some of the educational and base-line security recommendations that industry groups have been publicizing, such as TechNets Corporate Information Security Evaluation for CEOs. But many companies are not only ignoring standards such as these but also following practices that actually undermine general security.
Security and law enforcement professionals often lament about companies that suffer severe security breaches but keep quiet about them. Yet now many e-businesses are being proactive in their security ignorance, writing disclaimers into site-use policies that absolve them of any blame if a hacker breaks into the site and steals personal data (even if site administrators knew beforehand that there was a security problem).
Is this how businesses are planning to improve security without the intervention of government?
Last November, I wrote about a draft bill from U.S. Rep. Adam Putnam, R-Fla., that would have mandated minimum standards of accepted corporate security for publicly traded companies. Putnam never introduced this bill in Congress, which many construed as Putnam folding under industry pressure.
But Putnam didnt simply pull the bill. Instead, he formed a working group comprising security experts and industry representatives and asked the group to come up with steps that corporations can take to improve IT security.
The group, called the Corporate Information Security Working Group, recently released a preliminary report on its recommendations. I dont agree with all the recommendations, but I do think the report is an important step toward improving IT security awareness.
I do like the groups recommendations for trusted third-party security certification groups, as well as its recommendation for increased insurance protections for companies that take security precautions. This rewards companies that do the right thing and makes it more difficult for those that say, "Were not responsible even if we were negligent."
Right about now you might be asking yourself, "These recommendations sound fine, but what about a real law?"
Well, its become increasingly clear that a new law isnt really necessary. It turns out that most of the current generation of corporate regulations already force companies to meet security requirements.
As with HIPAA and health care organizations, public companies are now finding out that a big requirement for staying in compliance with Sarbanes-Oxley is improving security infrastructures—poor security could easily lead to a violation of the regulations. And the many companies that deal with the federal government are finding that they need to meet base-line security levels to continue doing business with the government.
Hopefully, companies will listen to industry and government recommendations and realize that meeting basic security requirements is not just a cost of doing business but is also good business.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: