Federal Data Security Law: 'Careful What You Wish For'
A cybersecurity bill advanced further up the U.S. Senate gauntlet last week, and some IT security practitioners aren't happy about it.
By Bill Brenner, Senior Editor
November 11, 2009 — CSO —
WASHINGTON, D.C. -- A federal cybersecurity law edged closer to reality late last week when the Senate Judiciary Committee approved a bill to protect the personal data of Americans. The bill is a bipartisan effort sponsored by Chairman Patrick Leahy, D-Vt., and co-sponsored by former Chairman Orrin Hatch, R-Utah, that would, among other things, force companies and data brokers to institute data privacy and security programs.
It's exactly what many security experts have been calling for -- one federal law that would supersede the growing mountain of state data security laws and give enterprises a simplified, one-size-fits-all roadmap to work from.
Also see Mass 201 CMR 17: A Survival Guide for the Anxious
And yet, when asked if a federal law is a good idea Tuesday during a panel discussion on the seventh-annual Global Information Security survey, which CSO and CIO magazines conducted with PricewaterhouseCoopers (see survey results here), one attendee who happens to work for the federal government deadpanned, "Careful what you wish for."
That seems to be the consensus among IT security pros these days. True, the patchwork of state laws can indeed be confusing to companies looking for a one-size-fits-all approach to security compliance. But in a recent, informal and unscientific poll CSOonline conducted on LinkedIn, a majority of respondents expressed doubt that a federal law would make their jobs easier. If anything, they said, the opposite would probably be the result.
The question we asked in various LinkedIn forums was if a federal cybersecurity law was the right way to proceed. Here's what four respondents said:
Gregory Anderson, desktop security SEPM lead manager and wise application packager at Qwest Communications
I have no faith in the U.S. government to implement useful strategies and security measures that don't fall completely apart when political cowards take the reins.
James McGovern, Hartford, Conn., chapter leader for the Open Web Application Security Project (OWASP)
One thing I believe is missing is that the government needs to acknowledge that while their security practice is probably more rigorous through the lens of process than their enterprise counterparts, they can learn something from enterprises in terms of community sharing of knowledge, ability to work under scenarios of smaller budgets and how to accomplish the job with less bureaucracy. We don't need more enforcement, but collaboration. When was the last time a government CIO or enterprise architect ever traded notes with their enterprise peers? Good security requires understanding multiple perspectives and not thinking in such an insular manner.
Federal cyber security law
- Risk-driven Compliance and Security Management
- Simplifying Risk Management: Is Your Company Measuring Up?
- Survival Guide: Overcoming the Obstacles to Effective Risk Management
- Utility Mandate: Software Security for the Smart Grid
- CyberAttacks ... Are you protected or prepared to pay?
- Bringing Together Security and Usability
- Security Protection via the Cloud
- Pillars of Enterprise Protection: Protecting the Infrastructure
- Midmarket Insights from the Global CEO Study
- The New Voice of the CIO - Implications for IT Managers
- Five Critical Success Factors in Overcoming Workforce Disruptions
- The Escalating Risk of the Insecure Web
