The changed privacy and security regulatory environment in Canada and the U.S. is driving dramatic changes in the role of the chief security officer (CSO), said some participants at the recently concluded RSA Conference in San Francisco.
North American CSOs, they said, are struggling to make company security policies compliant with a new regulatory scene.
It’s an environment defined by legislation such as the Sarbanes Oxley Act (SOX) in the U.S. that seeks to reduce corporate and financial fraud, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
Security, these experts noted, is now no longer just a matter of shielding a company’s hardware and software assets from threats such as viruses and spyware. It also includes establishing security policies and systems that comply with SOX and PIPEDA, and preventing misuse or unauthorized access to sensitive corporate and customer information.
“Trying to get these things to match is like herding cats,” Ron Gula, president and CEO of Tenable Network Security in Columbian, MD conceded.
Gula said CSOs are struggling with this new regulatory environment as they now have two jobs to tackle: auditing networks and machines for security, and then getting those systems to conform to today’s new privacy and security regulations.
He said in large corporations with thousands of machines and complex networks that auditing process can take a great deal of time. Compliance is a full-time job now and you need someone who focuses on just (that). I think this is going to be new role in many companies — a Chief Compliance Officer.Amir Wain >TextAnd while large companies may have the staff and budgets to so such an audit, smaller firms lack these resources and may face even greater problems, Gula said. “You have these small businesses or doctor’s office that have never been through (security) audits and have no idea what a vulnerability scan is, or why throwing a new PC onto the network is a (compliance and security) problem.”
Gula believes the emerging regulatory environment will change the roles of the CSO, as well as of those responsible for IT security.
Security, he said, will become more automated as network and other product vendors build security protocols and standards directly into products. Security automation means CSOs and security teams spend more time learning and implementing SOX and PIPEDA regulations across the company.
“Compliance is a full-time job now and you need someone who focuses on just (that),” said Amir Wain, CEO of i2c Inc. in San Mateo, Calif. “I think this is going to be new role in many companies, a Chief Compliance Officer.”
Robert Vogt, senior sales engineer of Apani Networks in Boylston, Mass. said the new regulatory environment is creating a market for companies specializing in auditing and compliance management.
But some RSA Conference participants suggested that many security and privacy issues are a result of software vendors not taking security seriously. Their customers – the companies using those products – suffer the consequences for such deliberate oversight, they said.
“If you have come to as many of these conferences as I have you start wondering why we have not solved any problems; why the old attacks are still around and why are the new (ones) are so much worse every year,” said Bruce Schneier, chief technology officer with Couterpane Internet Security Inc. in Mountain View, Calif. “I maintain the problems are not about technology, they are economic.”
During a roundtable debate on software security and regulation, Schneier argued the software industry has done a shoddy job on security because there are no consequences for poor security in products.
He advocated regulation, in the form of making vendors liable for security-deficient products, as a way of getting them to take security seriously and making products more secure.
Schneier compared ATM industries in England and the United States. In England, banks are not liable for the security of their ATM machines, so there has been little progress in improving that. In the United States, where banks held accountable, security is much stronger.
Richard Clarke, chairman of Good Harbor Consulting LLC – well known for his role as senior White House Advisor to the last three U.S. Presidents — said companies seem only to respond when there are regulations and those regulations are enforced. He said as the software industry has not been willing to tackle issues of security, regulation may be necessary.
Clarke has held the titles of National Coordinator for Security and Counterterrorism, and Special Advisor to the President for Cyber Security,
His observations did not impress Rick White, president and CEO of TechNet, a public policy and political service organization in Washington, D.C. who argued that regulation will only stifle innovation in the industry. Schneier argued security should not be an afterthought or something abandoned because it might affect the bottom line. “We can solve these security problems but the issue is capitalist incentives are not in line with the results we want. If we make it in the best interests for the software guys to add more security they will. Regulation does that.”
Schneire said a security hole in software affects both consumer and businesses.
For instance, he said if his mother’s computer gets infected with viruses or is compromised it does not affect just her. It may also negatively affect thousands of others, including businesses as her machine could be used to mount denial-of-service attacks on other systems and Web sites.