Panel: Security is serious business
Security experts say the private sector needs to get serious about network protection before a major cyberattack results in government intervention.
Although the Bush administration has indicated it doesn't intend to dictate how companies should handle security, another Code Red or Nimda incident could change that stance, Roger Cressey, president of Good Harbor Consulting, said during a panel discussion at the RSA Conference 2003.
"If we do have a major cyberincident, there will be a critical mass of pressure for regulation, and (Congress) will take out a sledgehammer when a scalpel is needed," Cressey said.
Two months ago, the Bush administration released the National Strategy to Secure Cyberspace, a document that mainly suggested solutions for protecting the Internet and critical infrastructure. The only mandates in the document were directed at government agencies.
That's the correct approach, Lawrence Dietz, the director of market intelligence for Symantec, said during the RSA panel. "We have seen Congress draft legislation--we don't want that."
Instead, Dietz said, the government should wield its wallet and put restrictions on companies that want to do business with federal agencies. The U.S. government expects to spend nearly $59 billion on information technology during fiscal year 2004--a significant incentive, he said.
"The government really needs to be a smart buyer," Dietz said.
Dietz added that companies should not expect security investments to boost profits. "ROI (return on investment) is not the right answer. It's just the cost of doing business."
While the panelists didn't seem too critical of the government's cybersecurity initiative, they did question whether it will retain momentum after the departure of Richard Clarke, the administration's top cybersecurity adviser.
"Losing a cyberadviser in the White House was a big mistake," Cressey said.