Cyber Security Legislation: What CISOs Should Know
Cyber-security legislation is increasingly becoming an issue, yet few security organizations have a dedicated full-time person or regular, active effort in the security function to track on-going legislation. In addition, while having a security clearance may facilitate the sharing of information and the ingestion of sensitive and classified information, few security organizations have a team member with a security clearance.
Security professionals see cyber-security legislation as falling into three categories: information sharing, security standards and privacy.
Security professionals support the idea of information sharing, but view that sharing with the government comes with many caveats. Recommendations for sharing information include:
- Replicate the successful model of the FS-ISAC within other critical infrastructure industries.
- Establish private information-sharing agreements between organizations themselves both within and across industries.
- Leverage industry organizations and forums.
- Invite the participation of the federal government, organizations that operate outside of the critical infrastructure designation and SMB organizations that are part of the economic environment.
The general consensus is that government security standards are not overly beneficial and have become more of a checklist and career for auditors. Security professionals believe that many of the government standards are conflicting and that what is needed is less legislation and more clarification. Multi-national organizations are especially challenged as federal government standards and regulations may conflict with regulations overseas, such as where one can and cannot move data.
Government legislation also impacts privacy issues. Between mandatory information sharing and mandatory reporting, security executives view mandatory reporting as the bigger mine field. There are potential civil liabilities around reporting sensitive personal information, not protecting it being perceived as not protecting it and reporting it. |