Down To Business: Time To Get Tough On Security Slackers
The Veterans Affairs Department and their ilk aren't victims. They're enablers and must be held accountable.
There comes a time when a problem spirals so out of control that you're willing to entertain just about any solution to get it under control. That time has arrived with data security.
On the table for more than a year has been an array of regulatory, legal, and market-based approaches for keeping organizations from losing, misplacing, exposing, and otherwise failing to protect people's personal data. Among the proposals: Hold every organization to minimum security standards. Require them to notify customers immediately when a key system has been breached. Levy heavy fines and even jail sentences on those who fumble customer data, not just on those who steal it. Experiment with nonregulatory solutions, like insurance policies and third-party monitoring and ratings. Then there are the free-market die-hards, who insist on doing nothing, as consumers will punish those who play fast and loose with their data.
Meantime, lots of for-profit enterprises carry (and mishandle) data on people who aren't even their customers. For instance, most of the thousands of people affected a year ago by a breach at ChoicePoint, which aggregates and sells reams of consumer and business data, had never even heard of that company.
I have long argued that when it comes to modifying organizational misbehavior, regulations should be the last resort. After last week's VA debacle, that last resort is looking like the only option.
So how should we proceed? Forget the Sarbanes-Oxley scattershot approach. Forcing every company and government enterprise to pass regular security checkpoints would tie up the masses in red tape because a relative few can't get their acts together.
More productive would be national legislation, patterned on a California law, requiring companies to report data loss in a timely manner, as it would target only the offenders. (The VA secretary claims he didn't even know about the agency's debacle until two weeks after it happened, so internal policies must be improved as well.) Critics argue that such notification laws unfairly punish the victims of data theft. But enterprises that lose backup tapes, are lax with physical and digital security, or let their employees tote around highly sensitive data are hardly victims. They're enablers.
In addition, punish the offenders--the serial slackers as well as the identity thieves and corporate espionage artists. It was revealed last week that the VA had failed a federal security audit four out of the last five years, and that in 2004 the inspector general recommended that the agency take 16 security steps, none of which was fully implemented. Perhaps if the VA secretary faced personal fines or jail time for that foot dragging, those security measures would have been put into practice long ago.
We've all lost patience with the post facto commitment to information security. The VA secretary last week vowed a "relentless investigation" of the agency's security policies. We're also told that the analyst was placed on leave for taking the laptop home in violation of VA policy, but why was it technically feasible for him to download and transport that data in the first place?
In a statement, the VA pointed out that "it is possible" that those who stole the laptop remain unaware of the information it contains. It's also possible that they know exactly what they have and are busy ripping off millions of people's identities and disrupting their lives--all while the bureaucrats trip over themselves to "strengthen safeguards," point veterans to free credit reports, and spend at least $100 million in taxpayer money to cover their asses.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.