Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch.
A survey of critical infrastructure companies by Enterprise Strategy Group reported that the companies with the most industry regulations to address tended to have better security practices, something that did not strike me as all that surprising. What did strike me as somewhat surprising, though, is some of the things people agreed the government should do in regards to cyber-security.
According to the survey (PDF) – which fielded answers from a total of 285 security pros in industries such as food and agriculture, defense and information technology – 39 percent said the government should “enact more stringent cyber-security legislation along the lines of PCI.” Thirty-two percent believed the government should create legislation with higher data breach fines.
It seems to me that the federal government should enact some cyber-security legislation, but not like PCI. Government bureaucracy is too slow moving to be effective. In fact, IMHO, the PCI DSS bureaucracy is too slow moving. PCI DSS 2.0 could have done much more but chose to simply focus on clarifications. I think the federal government should (1) force more and more complete breach disclosure and (2) possibly increase penalties for breaches. The latter was a tactic the government took to with HITECH to strengthen HIPAA.
In the mean time, the states have been moving aggressively, e.g. Massachusetts 201 CMR 17.