IT Security Regulations Inevitable, Experts Say

Security experts advise CIOs and CSOs to start preparing for legislation governing information security.

NEW YORK—Regulations governing information security in both publicly held and private companies are a question of when, not if, and CIOs and CSOs should begin preparing for that inevitability now, experts said during morning presentations at the eWEEK Security Summit here Wednesday.

The current climate surrounding the issues of corporate governance and privacy and the publics desire for some accountability for security breaches is driving lawmakers to consider drawing up legislation to address these problems.

"I personally believe regulation will happen sooner rather than later," said Chrisan Herrod, a professor at the National Defense University. "If you dont get involved, you will have individuals driving this train and you might not like the direction its taking."

Herrod cited as an example a bill introduced by U.S. Rep. Adam Putnam that would require both public and privately held companies to report security breaches. The bill, which is currently on hold, is similar to a law now in effect in California, but that measure only applies to public companies.

/zimages/2/28571.gifPutnam has formed a working group to come up with steps that corporations can take to improve IT security. Click here to read more.

Enterprise CIOs have long feared the prospect of federal regulations mandating a specific level of network security for a number of reasons. Chief among these concerns is the belief among many in the private sector that the legislators and staff members who would draft the regulations have little understanding of the complex technical and operational issues that play into a given organizations security posture. Many in the industry believe that security, like morality, is not something that can be legislated.

But that wont necessarily stop the folks in Washington from trying, Herrod said. And without the input of the people who are involved in the practice of security on a daily basis, the regulatory process could go off the tracks quickly.

/zimages/2/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

"When you get the audit guys and the security guys together and you dont get the users and the people on the other end of the process involved, you can have trouble," she said.

Darwin John, the former CIO of the FBI and now a consultant with The Blackwell Group, echoed Herrods sentiments.

"Are we going to have regulation? Probably. Are you going to like it? Probably not," John told the assembled audience of CIOs, CSOs and other senior executives. "But in the security business, there are no absolutes and thats very difficult for some people to accept."

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: