President Obama’s mention of cyber-security in last night’s State of the Union Address came as no surprise. The Obama camp implemented a novel approach this year of “previewing” the President’s main agenda items through a series of speeches in the week preceding the SOTU. But even without the preview, the comments on cyber-security were rather predictable (and brief).
Cyber security threats and their potential impact on organizations and individuals have become a mainstream issue in the past year and they represent a “safe” platform for public officials. Few would argue against the need for increased protection of businesses and consumers alike.
But some significant questions remain . . . how well are the issues and challenges of cyber security understood by those leading the discussion? With a complex array of threats and targets, where should increased legislation or regulation focus? And will the organizations (public and commercial) be prepared to implement the new requirements?
Let’s start with the last question first. Will the organizations likely to be impacted by the introduction of new regulations around cyber-security be ready, willing, and able to implement them? Well, there is at least one data point that suggests a strong willingness, and even desire, to do so.
This past fall, we conducted a survey of IT and information security professionals to gain a better understanding of what organizations are doing in response to an increase in regulatory changes and guidelines regarding application and network security. The findings reveal some interesting attitudes relative to increased government regulation. While acknowledging that the increase will adversely impact their organizations financially, the vast majority of respondents believe more regulatory guidance is needed.
"84% expected network & applications security to be more tightly regulated by the government over the next 12 months"
"63% of respondents indicated a willingness to adopt application & network security best practices from another industry"
*From a 2014 survey of IT and Information security professionals.
Research conducted by Radware and IDG Research.
In an area where regulators are accustomed to organizations fighting new requirements tooth-and-nail, this attitude should be refreshing and signal strong opportunity. Again, this is another indicator that proposing stronger guidelines for cyber-security represents a “can’t lose” platform for the President and other lawmakers.
Despite the apparent support for increased regulation, all is not smooth sailing for the President’s proposals. Criticism from the corners of commercial and public sectors emerged quickly after the ideas were previewed. The most significant criticism has been that there are no truly new ideas in the President’s proposal. Indeed, the proposal includes elements that have been in play for some time, as evidenced by blog post from 2011 that covered some of the same ideas.
None the less, there are some legitimate issues with the scope of the proposals, most notably their tendency to seek treatment of the symptoms rather than the root cause. Nearly all of the President’s grandstanding on cyber-security leading up to the State of the Union focused on the issue of consumer notification in the event of an incident. No doubt, this is an important topic . . . but the proposals lack an in-depth focus on prevention of consumer data breach in the first place.
Reading between the lines of responses to our survey last year, one can see a real need for more consistency and guidance for organizations that genuinely want to improve cyber-security. For any of the President’s proposed measures to take effect, organizations will need strong models for information sharing, data protection, and network availability. Fortunately, there are some strong models out there.
- The Financial Services Information Sharing and Analysis Center (FS-ISAC) has set a strong standard in the area of threat intelligence sharing between organizations. Started in 1999 as a result of President Clinton’s Presidential Directive 63, the FS-ISAC today unites global members in a collaborative effort around new vulnerabilities and threats targeting the banking industry. The processes and resources used to build the FS-ISAC could and should act as a guide for other industries now faced with broader requirements for information sharing.
- The Federal Financial Institutions Examination Council (FFIEC) provided another point of guidance. In statements issued in April of last year pertaining to DDoS attacks, the FFIEC offered 6 specific steps to integrate DDoS preparation into an organization’s security planning. Admittedly this is really high level and really more of a “plan to make a plan.”
These are just two examples; there are many others. For a more complete view of recent cyber-security regulatory measures, check out Carl Herberger’s blog from last May that spotlights 6 specific initiatives.
Gaining expertise and education are key steps for businesses to take when starting to address the inevitable cyber-security regulations that will occur this year. Using trusted, experienced vendors can provide access to the knowledge and technology that can defend against current threats as well as detect and prevent potential threats. I invite you to download the full research on how new cyber security federal regulations are impacting application and network security to gain a better understanding of what organizations are doing in response to federal guidelines, how those changes are being perceived and also how some businesses are changing their own protocols to stay complaint.