Cyber Security Legislation: What CISOs Should Know
Survey Says: CISOs, in general, don’t know much. In addition to a lack of knowledge about cyber security legislation, there is a great disparity in terms of how to engage with law enforcement and government agencies and share data.
Top concerns are:
- The Senate Cybersecurity Information Sharing Act of 2014 authorizing companies to launch countermeasures if someone attacked them. CISOs view it as setting a dangerous precedent that would allow a company to engage in active defense. Most organizations are ill-equipped and unprepared to deal with that kind of power. Further, the point of attack is often a compromised endpoint that belongs to someone else, not the attacker.
- Sharing data with the DHS, which would in turn share it with all of DoD, including the NSA. This includes the government expectations as to how companies should sanitize the data prior to sharing, but that the government would share in an unsanitized manner.
- The inability of the government to reciprocate in sharing data with organizations.
Recommendation: Encrypt Everything. |