The pragmatic decision makers with whom I work rarely find my more urgent recommendations compelling. Driving change in security and compliance practices can be challenging. Finding the right ‘lever’ to influence decisions is what the work is all about. The recent unclassified report to President Obama by the President’s Council Of Advisors On Science and Technology (PCA ST) entitled “Immediate Opportunities for Strengthening the Nation’s CyberSecurity” is going to significantly change the conversation. While there’s nothing in the report that’s going to startle any security professional, the authors have significant clout and the recipient definitely can influence change.
If I were to boil the entire paper down to a single statement, it would be “we need to build a culture of awareness and vigilance in to society and more specifically the commercial sector through existing governance models”. The most compelling and relevant statement in the report is:
The President should strongly encourage independent regulatory agencies to adopt regulations that require self reporting of continuous improvement practices along these same lines. In particular, the Securities and Exchange Commission (SEC) should mandate, for publicly held companies, the disclosure, as investment risks, of cyber-security risk factors that go beyond current materiality tests
The wheels of government do move slowly – but they grind everything down to the same fine powder. The Sarbanes-Oxley act drove significant change in the commercial sector. Eventually this recommendation is going to blossom in to legislation. Once the SEC (or equivalent federal agency) requires it, my pragmatic decision makers will embrace the need for fundamental change in much the same way they did Sarbanes-Oxley – and I’ll have fewer opportunities to promote challenging changes. That’ll be a good day.