http://techliberation.com/2009/03/13/a-federal-takeover-of-cyber-security/ Keeping politicians' hands off the Net & everything else related to technology Sun, 27 May 2012 22:43:00 +0000 hourly 1 http://wordpress.org/?v=3.2.1 http://techliberation.com/2009/03/13/a-federal-takeover-of-cyber-security/comment-page-1/#comment-65413 Reese Payton Wed, 18 Mar 2009 07:44:30 +0000 http://techliberation.com/?p=17440#comment-65413 <p>Federal responsibility, no way! Please keep us posted on the results.<br>Reese Payton</p> Federal responsibility, no way! Please keep us posted on the results.
Reese Payton

]]> http://techliberation.com/2009/03/13/a-federal-takeover-of-cyber-security/comment-page-1/#comment-61968 Reese Payton Wed, 18 Mar 2009 03:44:30 +0000 http://techliberation.com/?p=17440#comment-61968 <p>Federal responsibility, no way! Please keep us posted on the results.<br>Reese Payton</p> Federal responsibility, no way! Please keep us posted on the results.
Reese Payton

]]> http://techliberation.com/2009/03/13/a-federal-takeover-of-cyber-security/comment-page-1/#comment-58756 Reese Payton Wed, 18 Mar 2009 02:44:30 +0000 http://techliberation.com/?p=17440#comment-58756 <p>Federal responsibility, no way! Please keep us posted on the results.<br>Reese Payton</p> Federal responsibility, no way! Please keep us posted on the results.
Reese Payton

]]> http://techliberation.com/2009/03/13/a-federal-takeover-of-cyber-security/comment-page-1/#comment-58720 rybolov Mon, 16 Mar 2009 14:00:46 +0000 http://techliberation.com/?p=17440#comment-58720 <p>Hi jim and Tim<br><br>The key problem for security is mentioned in the Princeton podcast: there is a shortage of skilled labor and a shortage of people who are cross-trained into having some security skills.<br><br>One thing I want to make clear: there is no return on investment for security. Security is a cost, and only in very rare circumstances is there a return on security costs. Instead, good security is cost reduction or loss prevention, an entirely different model.<br><br>We do have some industry self-regulation happening. PCI-DSS is a good example.<br><br>I do see a disconnect in Jim's article. Forensics do not equal liability, they equal the ability to track down the "real" evildoer, but you still might have an issue of negligence. Negligence is a better model for us to look at when we set public policy.<br><br>If you really want to push security in public policy, have a look at the various data breach laws that have been pushed. S.459 comes to mind. <a href="http://thomas.loc.gov/cgi-bin/bdquery/z?d110:S495:" rel="nofollow">http://thomas.loc.gov/cgi-bin/bdquery/z?d110:S495:</a></p> Hi jim and Tim

The key problem for security is mentioned in the Princeton podcast: there is a shortage of skilled labor and a shortage of people who are cross-trained into having some security skills.

One thing I want to make clear: there is no return on investment for security. Security is a cost, and only in very rare circumstances is there a return on security costs. Instead, good security is cost reduction or loss prevention, an entirely different model.

We do have some industry self-regulation happening. PCI-DSS is a good example.

I do see a disconnect in Jim's article. Forensics do not equal liability, they equal the ability to track down the “real” evildoer, but you still might have an issue of negligence. Negligence is a better model for us to look at when we set public policy.

If you really want to push security in public policy, have a look at the various data breach laws that have been pushed. S.459 comes to mind. http://thomas.loc.gov/cgi-bin/bdquery/z?d110:S495:

]]>