Best Practices: The 2004 Global Information Security Survey

Security professionals are dubious of both current and potential future regulation. "No regulation is preferable to bad regulation," says the CISO of a major electronics company. "On the other hand, if we don't regulate, we're heading to a bad event with critical infrastructure, and then you'll end up with regulation passed in reaction to the bad event. It would be the worst of both worlds."

That bad event is what DHS's color-coding seeks to avoid. The government's threat-level reporting is widely believed to be for the public but, in fact, it was meant to alert first responders in the private sector to guide them in their protection of the critical infrastructure. When DHS Secretary Tom Ridge introduced the system in 2002, he said, "We anticipate and hope that businesses and hospitals and schools...will develop their own protective measures for each threat condition."

That hasn't happened.

Only one in 10 respondents reacts to homeland security alerts, and again, the breakdown by industry serves to reinforce that point. Of the six industries that had the highest number of respondents who reported that, yes, they changed their activities when DHS changes color levelsenergy/utilities (30 percent), government (25 percent), aerospace (14 percent), hospitality (14 percent), construction/engineering (12 percent) and financial (11 percent)none reached even one-third.

No other industry reached 10 percent answering yes. And eight industries, including agriculture and electronics, had zero respondents who changed their practices according to the threat level.

"What can we do with a nonspecific threat?" a CISO asks rhetorically. "If it were, say, an orange alert for the supply chain, then we could take specific actions. Otherwise, we can't be moving resources around without knowing why we're doing it."

What We Think

Regulations don't create security; people create security. At the same time, regulation has a purpose. Even Scott Charney, CSO of Microsoft, believes that well-crafted regulations (he used to write them when he worked for the Justice Department) can have a positive effect on information security.

"The key is they have to be written well, and that's not easy to do," Charney says. "Passing a regulation that says 'Thou shalt be safe' isn't useful."

Right now, the color-coded alert system does not identify the specific threats that the infrastructure faces, nor does it guide the actions of information security professionals. Until DHS and industry leaders, in a combined effort, can define what's supposed to happen when the light goes from yellow to orange, the threat-level warning system can only produce agitation, not information.