Earlier this month on SCMagazineUS.com, Peter George, CEO of Fidelis Security Systems, wrote an “Open letter to the network security industry,” encouraging the industry to rally together.
“What we really need is to follow through and insist on a mandate requiring corporations to share information on network breaches, disclose each foreign fingerprint found on their network, and even establish a federal database to house this collective pool of information,” he wrote. “And even this may not be enough, but it certainly is a start.”
As a company with roughly half of our customers in the United States, and the rest spread out around the globe, I can see the value not just of a national standard but of a worldwide regulation that sets the network security bar for commerce in today’s “Global Village:” A standard adopted and enforced by governments worldwide.
It might sound like a non-starter, getting all the countries of the wired world to agree to a common standard, whether it is for breach disclosure, network attacks or anything else.
What seems most likely is to create a set of standards and enforceable network security best practices with stiff penalties for non-compliance, and enforced by a central governing body.
Unless you have been asleep at the security wheel since 2004, the Payment Card Industry Data Security Standard has become the poster child for an effective and sticky mandate. PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program.
When the credit card companies first introduced the standard, the uproar around it was deafening. But the card brands held their ground, formed the PCI Security Standards Council, and invested time and money into creating a working infrastructure for enforcing compliance.
This meant working with merchants, helping to train assessors and accelerating the maturity of the qualified security assessor (QSA) channel, creating the overall governance model (overseen by the council), providing regular updates to the standard as needed, and remaining committed to working out the kinks.
Love it or hate it, PCI DSS has set a bar for the absolute minimum an organization must do if it wants to accept credit card payments, and it is here to stay.
While it might not make sense to replicate the PCI model exactly, any global oversight board can take a few moves from the card brands’ playbook on how to enforcement work. Whether governments sign a UN resolution to demonstrate countrywide internal controls, or there is some other method of enforcement, it must have political and economic teeth.
In his article, George outlined some of the stakeholders that would be involved in the creation of a common U.S. standard. For a global standard, there would likely need to be a wider set of stakeholders, which would of course be a challenge but could also result in the creation of a governing set of checks and balances structured for maximum enforceability.
While this is by no means a comprehensive list, network security vendors, technology analysts, global Fortune 500/1000/2000 CISOs, politicians and military leaders should all be members of the steering committee driving periodic updates.
In fact, the push for global standards is already well underway. In May 2011, the Obama administration proposed creating international computer standards, which “included penalties for countries and organizations that fell short.” This is a push that has been going on for quite some time, and chances are, for it to be successful, it will need to slowly but surely percolate to create the needed consensus within and across national borders.
In the meantime, organizations can’t stand still.
Thanks to all the recent breaches, security is now front and center. CISOs can leverage this opportunity to champion security in their organizations and advocate for the resources to step up security in a meaningful way.