Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Cybersecurity Group Calls for New Gov't Approaches

The Internet Security Alliance (ISA), made up of IT vendors and customers, called on the US government to abandon old regulatory approaches in favor of incentives such as cybersecurity insurance.

The US government should explore new incentives for companies to invest in cybersecurity instead of focusing on regulation, a cybersecurity trade group said.

The Internet Security Alliance (ISA), made up of IT vendors and customers, called on the US government to abandon old regulatory approaches in favor of incentives such as cybersecurity insurance, awards programs and caps on legal liability for companies that adopt cybersecurity best practices.

The alliance, in a [white paper] said legislation that requires the US government to create cybersecurity standards, including the Improving America's Security Act passed by the US Senate in mid-March, takes the wrong approach. The Improving America's Security Act would authorize the US Department of Homeland Security to develop standardization and certification programs for US critical infrastructure, including the Internet.

"That approach will not work ... due to factors within the Internet itself," said Larry Clinton, president of the ISA. "The Internet is inherently international, it changes much too quickly, and it's under constant attack."

By contrast, a regulatory approach would be limited to US-based divisions of companies, and it's slow to react to new threats, Clinton said.

Instead, the US government should encourage companies to invest in cybersecurity and adopt best practices already outlined by a number of private organizations, he added. Incentives that reduce costs would help companies get over the attitude that investing in cybersecurity is a "cost centre," he said.

"Government regulations can't keep up with Internet threats, but the profit motive can," Clinton added.

The incentives outlined in the ISA white paper could encourage companies to invest in cybersecurity not only in their US divisions but also in their foreign ones, Clinton said.

Among the proposed incentives:

  • Companies following best practices should be able to buy additional insurance for cybersecurity-related events. Some companies have deferred investments in cybersecurity because they are concerned that they aren't protected from liability, the white paper says.

  • The US government should limit legal liability for companies following best practices.

  • US government agencies should set cybersecurity standards in its procurement practices, creating new business opportunities for companies that follow best practices.

  • The U.S. government should establish an awards program recognizing companies with strong cybersecurity programs.

"What we need to do is get more people to adopt [best practices]," Clinton said. "These investments are not being made aggressively enough."

The ISA is not calling for fewer penalties for cybercriminals or fewer consumer protection laws, Clinton said. "We're not saying, do less," he said. "We're saying, do more."

The ISA is a collaboration of the Electronic Industries Alliance and Carnegie Mellon's CyLab and works closely with the CERT Coordination Center. ISA helps organizations in several industries develop best practices in Internet security.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ACT, CERT, Electronic Industries Alliance, Internet Security Alliance, Mellon

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Eight threats your antivirus won’t stop - Why you need endpoint security
    News headlines are a constant reminder that malware attacks and data loss are on the rise. High-profile incidents that make big news might seem out of the ordinary. Yet businesses of every size face similar risks in the everyday acts of using digital technology and the Internet for legitimate purposes. This paper outlines eight common threats that traditional antivirus alone won’t stop, and explains how to protect your organisation using endpoint security.
    Learn more »
  • Chapter 2: Protecting Enterprise VoIP Services
    The enterprise network is a complex system, and implementing VoIP brings a new level of complexity into the mix. In addition, security threats are real and many and assuring QoS delivery is a technical challenge. In deploying VoIP, you’re integrating voice technology with the critical data infrastructure. Building process and documentation controls into network operations provides the information about the corporate nervous system to manage a secure operating environment. You use this information to build a layered defense into the network. By gathering knowledge and applying it to defend the network in depth, you can deliver secure, reliable, available VoIP service across the enterprise.
    Learn more »
  • Web 2.0 in the Workplace Today
    More than a decade after the term ‘Web 2.0’ was coined, many businesses are still nowhere near to taking full advantage of the collaborative technologies the term refers to. Undoubtedly, confidence is growing in relation to using tools such as Facebook, Skype, Twitter, and indeed many more organisations are using such technology now compared to even just a couple of years ago. But the fact remains that a worrying amount of businesses seem to be operating a ‘lockdown’ approach – an approach that I’m sure many Board-level staff know is simply not good for business in the long-term.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

HP and IDG news, product videos and resources