Like most reports that emanate from any government body there’s a lot of belaboring of the IT security obvious in a report this week issued by The Commission on Enhancing National Security (pdf) that was tasked by President Barack Obama to help set IT security priorities in the face of new and escalating threats. For example, the report concludes that there needs to be a strengthening of public-private partnerships to improve usage of more advanced approaches to authentication along with more research into securing Internet of Things (IoT) environments.
But buried deep within the report are two concrete recommendations that should bring cheer to IT security professionals everywhere. The commission is recommending that the U.S. government should extend incentives to companies that have “implemented cyber risk management principles and demonstrate collaborative engagement.”
Specifically, the report calls on the next administration and Congress to pass legislation that provides appropriate liability protections for businesses that engage in cyber risk mitigation practices that are consistent either with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) or other common industry segment practices as part of cyber collaboration effort involving with government and industry.
In addition, the report notes safe harbors would be particularly appropriate to consider in the context of providing business certainty for companies that operate in regulated sectors. That effort would encourage business to share information about how they were compromised without fear of financial penalties being imposed by regulators.
Additional benefits to encourage enhanced cybersecurity might include tax incentives, government procurement incentives, public recognition programs, prioritized cyber technical assistance, and regulatory streamlining. The report adds that future research and development efforts should specifically include a detailed study of how best to improve network security through incentives.
The second big insight provided by the report concerns the challenges small-to-medium (SMBs) specifically face. The report recommends that the NIST revisit the Cybersecurity Framework with an eye towards creating an implementation of it that can SMB could reasonably afford to implement. The report implicitly recognizes that unlike Federal agencies the average SMB is throwing a percentage of its overall IT budget at IT security. The IT budget, of course, is usually itself only a single-digit percentage of overall revenue.
In effect, the report recognizes that adage concerning how compensation drives behavior. If the nation as whole see values in enhancing our collective IT security the SMBs that drive most the business activity at risk need to be able to literally buy into that strategy. Most advanced IT security technologies are beyond their fiscal ability to acquire and operate even if they could IT professionals with the skills required to master them.
The authors of the report lead by co-vice chairs Thomas E. Donilon, a partner with O’Melveny & Myers, a former U.S. National Security Advisor to President Obama, and Samuel J. Palmisano, retired chairman and CEO of IBM, appear in this polarized political climate to shied away from calling for any more regulations. Most of the concrete recommendations concern executive orders that should be issued to better secure the operations of the Federal government.
Obviously, it remains to be seen what president-elect Donald Trump will decide to craft in the way of a cybersecurity strategy. But if the posturing that occurred during the recent presidential campaign is any guide a lot more of that strategy is likely to revolve around economic carrots than regulatory sticks.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.