Re: Another Epic Government Fail to Screw Americans
Those are great points, Susan. Tackling the first, I wholeheartedly agree that there's a huge difference between doing something because you have to and doing something because it's integral to your being, to your corporate philosophy, and to the way you think about your customers -- or, in healthcare's case, patients. It's also how you think about employees. After all, the same tools, technologies, and processes that protect (or don't) your customers protect your employee data. And that might not be good. When talking to a CISO/CSO who really gets how vital security is to an operation, who is viewed as key to the c-suite, you see the value s/he (usually he) provides. One reason: That exec educates other c-levels and board members about why security is vital, about the carrot/stick, and how it requires everything from ongoing education to technologies.
Regarding your second point, JP Morgan obviously is not spending enough on security -- and it is a relatively tiny amount of money, relative to the huge earnings it boasts. I am for small government, in general, and would never argue for regulations demanding a set percentage of spending on security. But you'd certainly hope some board members would be savvy enough to recognize that's nowhere near enough. Until shareholders and board members are held liable -- especially if they are on record blocking CSO/CIO recommendations for X tech or Y process -- then fines against the company, which invariably get passed along to consumers, won't do a thing. We really need bigger, sharper teeth that - like Sarbanes-Oxley - put people's names, not company names, on the line.