Looking back at my childhood, I have to say that my parents did a pretty good job raising me. Of course, I benefited by being the youngest of five children. By the time I became a teenager, my parents had plenty of experience and had developed a good blend of rules, discipline and expectations of personal responsibility (although my older siblings thought I could pretty much get away with anything).
Conversely, I knew kids in school who suffered from no parental supervision or overbearing parents who tightly regulated everything. In either case, this tended to be bad news for those kids.
Many of the same dynamics can be seen in the relationships between businesses and the government. Industries that are tightly regulated by the government often suffer from limited innovation, high compliance costs and limitations on company growth. This is why many companies fear government regulation in their markets.
However, areas with no regulation can fare even worse. In these areas, corporate trust is nonexistent, and the rights of other businesses and even consumers are often left trampled in the dust.
Were clearly in the latter situation when it comes to IT security. Vendors can create flawed and insecure products and suffer no repercussions for their failures. Companies can fail to properly protect their customer data and then have that data stolen, with no mandate to report the theft to customers. And despite the fact that technology security problems continue to get worse, companies can not only choose to improperly protect their data, but they can also basically choose to perform no data protection at all.
Despite all these failures, corporations continue to fight against any suggestion of government regulation in IT security.
They argue that network and software security is a relatively new thing, that they are making progress on their own, and that businesses should be given time to improve security. To me, this is a bad argument, without a lot of credibility. Worms and viruses have been around a long time, and most security experts will tell you that good security (not perfect security) is simply a matter of the will to take the right steps—steps that many companies still avoid and see only as a cost center.
More convincingly, businesses and vendors argue that government regulations will limit innovation and add unnecessary costs and burdens for companies that are already struggling to stay profitable. This I can completely understand.
In general, Im not a fan of government regulations, and the last thing anyone wants to see is government bureaucrats running company IT departments. But while some of the industrys promises are convincing, the results have been anything but impressive. Security problems continue to get worse, and the problems can almost always be attributed to lax corporate security and bad software code, not to sophisticated hackers.
Increasingly, businesses and vendors are starting to look like the little boy who keeps saying he wont hit his sister anymore but who continually fails to keep that promise. Its high time for the little boy of IT security to get a little parental, I mean, government supervision.
But this government regulation need not be tightly restrictive or overly bureaucratic. Ideally, it should be a lot more like the balanced way my parents raised me. Companies should be required to disclose their security preparedness to the government or another impartial entity. Companies that have taken significant steps to provide secure environments would be rated highly. Most companies would probably receive "acceptable" ratings, and those that didnt meet even the most basic and minimal security requirements would get "poor" ratings. This alone should make a huge difference, as no one would want to lose sales after unsuccessfully trying to explain away a "poor."
Most important, it should be illegal for companies to hide the fact that theyve had a security breach that has placed customer data at risk. There is no honest reason why a company should sit on this information while its customers are having their credit cards maxed out or their identity stolen by high-tech thieves.
Nobody likes to have their freedom limited or to be told what to do. But as many parents have said to their kids: If you want to be treated like an adult, then you need to act like an adult.
Labs Director Jim Rapoza can be reached at firstname.lastname@example.org.