Security and Compliance
It's been said that all business-to-business sales are motivated by either fear or greed. Traditionally, security products and services have been a fear sell: fear of burglars, murders, kidnappers, and -- more recently -- hackers. Despite repeated attempts by the computer security industry to position itself as a greed sell -- "better Internet security will make your company more profitable because you can better manage your risks" -- fear remains the primary motivator for the purchase of network security products and services.
The problem is that many security risks are not borne by the organization making the purchasing decision. An organization might be perfectly rational about securing its own networks against threats like theft of proprietary information and business interruption. But the adverse effects of privacy loss are borne more by those whose privacy has been breached. In economics, this is known as an "externality"; an effect of an organizational decision that don't affect the organization.
This is the proper backdrop to understand the recent spate of privacy laws. The goal of these laws is to bring those externalities into the decision process by adding an additional fear motivator: fear of lawsuit, fear of criminal penalties, fear of being out of compliance.
Privacy laws have existed for years in Europe, but the United States has been seeing an increase in network security compliance laws in recent years. The litany includes the Sarbanes-Oxley (SOX) Act of 2002, the California Database Protection Act (SB 1386) of 2001, the Gramm Leach Bliley (GLB) Act of 1999, and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and 2003.
The creation of these laws generally follows three steps:
In Step (2), regulators attempt to bring those externalities into the organization. By passing laws and mandating compliance, they introduce an additional fear to the organizations and motivate them to implement additional security measures.
Each of these laws imposes strict requirements on enterprises to establish or identify, document, test, and monitor "internal control" processes. Since most, if not all, of these processes are supported by information technology, these laws have an enormous impact on a company's network security decisions. The four laws specify varying requirements, but all share the following common mandates for organizations:
But like most legislative actions, the laws are vague and imperfect. Some provisions are simply too much for organizations to implement, others are just poorly worded. So the end result is Step (3): a negotiation between the organizations affected by the laws and the regulators entrusted with enforcing the laws.
The result is improvement. More important than the specific list of countermeasures is a process of continual security improvement. An organization needs to be able to defend itself against a lawsuit saying: "We're implementing these industry-standard processes. We're improving. We may not be perfect today, but we're continually getting better."
As a security professional, I applaud these kinds of regulations. Just as I advocate software liability as way to bring the externalities of insecure software into the decision-making process of the software manufacturer, I see these data privacy laws as a way to force organizations to take personal data security protection seriously.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.