Enterprise Security 2.0?
Tao of Data Security - Part 4 - Enterprise Security 2.0. Previous posts in this series:
When Intel bough McAfee, the rising role of security within business became clearer for roughly 7.5 billion reasons. But enterprises will have to shoulder the burden of cyber security more and more in the coming years for many reasons:
- Consumers haven’t proven the most reliable security practitioners. Twitter, for instance, precluded about 400 passwords so consumers wouldn’t use ‘123456’ despite a few incidents of brute force password attacks.
- The growth of privacy. Consider:
-
- Consumer advocacy groups have demanded privacy from companies like Google. For example, in Manhattan, one group put up this unflattering billboard of Google CEO Eric Schmidt.
- Governments are reacting by tightening privacy laws. (China has its own, unique twist).
This means enterprises will be forced to bear the burden of managing privacy and security. Much like the auto industry was required to build and incorporate seat belts and air bags, anyone writing software for products and services will have to do the equivalent in the virtual world. Most likely, the growth of mandates and privacy means security experts will have to become amateur lawyers. In legal circles, there is a concept called “reasonable behavior” which defines what can be considered responsible actions in the case of potential negligence. For example, just after SOX became law, no one knew how to comply. But over time, some big companies became SOX ninjas and defined “reasonable behavior” for the laggards (and judges).
But in security, we’re still in the process of defining “reasonable behavior.” Our recent survey with Securosis showed people are still trying to figure out what an effective data security program looks like from a technology perspective. But the survey also showed that mandates, especially PCI, weighed heavily on security programs (88% of the time!). And PCI was far ahead of any other mandate in the survey. It is quite likely that PCI will become the “reasonable behavior” that defines security. We already see evidence of this happening. The state of Ohio, for example, recently adopted a version of PCI—the famous Joe the Plumber law. Also, the state of Minnesota gave part of the PCI standard legal standing. (Does this mean PCI is perfect? No, but it means it has momentum. How many states have adopted their own version of SOX?).
Another legal concept is something called “administrative normalcy” which refers to some legal or business process becoming routine. Could the “reasonable behavior” defined by PCI become the framework for “administrative normalcy” by which security installs seat belts and air bags? Perhaps not in its current format, but certainly something that looks pretty close.
