Print Divider Print Divider Branding

Federal cyber security rules should learn from industry guidelines

01/29/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services


Social Logo Social Logo Social Logo Social Logo

For many in the cyber security field, this year’s State of the Union speech was particularly notable, as information security took the spotlight alongside other major international and domestic issues.

President Obama said he would propose several sensible new security measures, including:

  • National rules on the circumstances under which organizations must notify the public that they have experienced a breach
  • New efforts to encourage organizations to share information related to cyber security
  • Better cyber security tools for law enforcement

Overall, these are welcome moves -- and the high-level attention to cyber security is cause for optimism. But to be effective, these measures will have to make more of an impact than past government interventions in cyber security, which have often been vague and piecemeal.

Playing Catch Up

Ultimately, the government should not need to step in on matters of private organizations' data security -- but it’s no surprise that lawmakers feel they must act. The last year has seen a flurry of high-profile breaches, from the string of hacks on major retailers to the unprecedented cyber attack on Sony Pictures Entertainment.

The fact is that many businesses have been caught woefully underprepared for the realities of the modern cyber security landscape. Now they’re playing catch up, if they’re responding at all. Security has never been more urgent, but many businesses still have highly inadequate security controls. When these businesses are struck by hackers, consumers also pay the price.

Previous government regulations on cyber security typically haven’t been sufficient, but they have had some positive impact. For example, many companies used to hide that they had experienced a breach. Consumers were left in the dark, and it was difficult for security professionals to tell how many attacks were really occurring. Now, state-level breach notification rules -- and HITECH Act provisions governing healthcare data -- have changed the story, requiring companies to notify people whose data has been compromised. Consumers have more information to consider when entrusting companies with their data, and we have a much clearer picture of the security breach landscape.

These are important outcomes, and not to be underestimated. But to truly change the game, lawmakers should take inspiration from industry-driven rules.

Prescriptive and Responsive

There are a number of problems with the majority of state and federal security rules that are in effect today.

One big issue is consistency: 47 states have breach notification rules, but the rules differ in each state. Another problem is strictness: it’s unlikely that a new federal measure will go any further than existing, and only relatively stringent, state breach notification laws such as the rule in Massachusetts. While it would be worthwhile to have a federal rule to bring all of the states into parity with some of the more focused state rules, it’s still only a half-step toward the type of solutions that are required.

We see this half-stepping quality in many government security efforts. HIPAA security rules are frequently chided as hazy and insufficient; healthcare organizations can feel they have complied without putting in place robust protections. What organizations really need are specific, prescriptive rules designed to be responsive to constantly evolving security needs.

There is a useful model for such guidelines in the payment card industry’s PCI Data Security Standards, a set of security controls required of any merchant that processes payment cards. The PCI rules are specific, offering merchants meaningful guidance and regular updates to reflect new security realities. PCI guidelines are developed based on input from security professionals as well as business owners, and this collaborative approach shows in the rules’ deft balance of security priorities. While certainly not perfect, the security bar established by the PCI security rules is a more stringent and more prescriptive baseline than any US government security law in effect today.

To create security rules that more effectively protect US businesses and consumers, lawmakers should look to industry efforts as a guide. By working with industry leaders and security professionals to develop the kind of prescriptive and responsive rules that are needed, these rules may help businesses and their customers alike survive in the face of hacking threats.

As featured in Beta News.