Cybersecurity group calls for new government approaches
More carrot, less stick, less DHS
IDG News Service - The U.S. government should explore new incentives for companies to invest in cybersecurity instead of focusing on regulation, a cybersecurity trade group said.
The Internet Security Alliance (ISA), made up of IT vendors and customers, called on the government to abandon old regulatory approaches in favor of incentives such as cybersecurity insurance, awards programs and caps on legal liability for companies that adopt cybersecurity best practices.
The alliance, in a white paper released Wednesday, said legislation that requires the government to create cybersecurity standards, including the Improving America's Security Act passed by the Senate in mid-March, takes the wrong approach. The Improving America's Security Act would authorize the Department of Homeland Security to develop standardization and certification programs for critical U.S. infrastructure, including the Internet.
"That approach will not work ... due to factors within the Internet itself," said Larry Clinton, president of the ISA. "The Internet is inherently international, it changes much too quickly, and it's under constant attack."
By contrast, a regulatory approach would be limited to U.S.-based divisions of companies, and it's slow to react to new threats, Clinton said.
Instead, the government should encourage companies to invest in cybersecurity and adopt best practices already outlined by a number of private organizations, he added. Incentives that reduce costs would help companies get over the attitude that investing in cybersecurity is a "cost center," he said.
"Government regulations can't keep up with Internet threats, but the profit motive can," Clinton added.
The incentives outlined in the ISA white paper could encourage companies to invest in cybersecurity not only in their U.S. divisions but also in their foreign ones, Clinton said.
Among the proposed incentives:
• Companies following best practices should be able to buy additional insurance for cybersecurity-related events. Some companies have deferred investments in cybersecurity because they are concerned that they aren't protected from liability, the white paper says.
• The U.S. government should limit legal liability for companies following best practices.
• U.S. government agencies should set cybersecurity standards in its procurement practices, creating new business opportunities for companies that follow best practices.
• The U.S. government should establish an awards program recognizing companies with strong cybersecurity programs.
"What we need to do is get more people to adopt [best practices]," Clinton said. "These investments are not being made aggressively enough."
The ISA is not calling for fewer penalties for cybercriminals or fewer consumer protection laws, Clinton said. "We're not saying, do less," he said. "We're saying, do more."
The ISA is a collaboration of the Electronic Industries Alliance and Carnegie Mellon's CyLab and works closely with the CERT Coordination Center. ISA helps organizations in several industries develop best practices in Internet security.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts