SAN FRANCISCO – This week’s annual RSA Conference here is, of course, all about the latest in security. But a company’s decision of which security strategies and products to pursue depends on more than popular trends or features. The regulatory environment and a company’s own business needs can also influence a security plan.
While Sarb-Ox and HIPAA set some standards for data protection and retention, the U.S. tends to have a different focus from countries in Europe and Asia.
One thing on attendees’ minds at RSA was the way globalization has
changed security — and the way U.S. regulation has lagged behind
other countries’ in some areas. NSFocus, maker of security gateways and other hardware/software combos for threat management, exhibited at the
conference in search of U.S. sales partners. Ma Bo, regional manager
for NSFocus, said the company has a huge market share in its home base of China, thanks to Beijing’s rules demanding advanced security for financial and commercial institutions. He finds U.S. regulations more lax.
The United States is also seen by other foreign vendors here as lagging when it comes to mandating strong security for consumer data and services.
In an RSA “town hall” presentation about Cyber Storm II, an audience member told Greg Garcia, Homeland Security assistant secretary, that the Federal government should establish standardized digital certificates for banks. “We’re way behind Europe,” he said, “and that drives more of the hackers here.”
But this may be the result of a different emphasis here and
abroad, rather than looser government.
While legislation in the EU focuses on keeping companies from
gathering too much data on citizens, in the States, the focus is on
requiring companies to disclose when consumers’ personal data has
been compromised.
Privacy versus security
“To them, privacy is paramount and trumps security,” said Michael
Markulec, COO of Lumeta, a network security vendor. “I’d argue that
in the United States, security is trumping the privacy issues.”
Efforts to control things like identify theft tend to focus on
keeping people from unauthorized access to the network, rather than
on limiting data collection. Network security is more important to
businesses, he allowed, “but we need to strike a balance.”
This year, Markulec sees database security as one of the top
issues on the minds of conference attendees. That could be because
they want to avoid the embarrassment of making te news when customer
data is lost or stolen.
U.S. Senator Dianne Feinstein (Calif.) has two bills in the
hopper, the Notification of Risk to Personal Data Act and the Social
Security Number Misuse Prevention Act. The data breach act was
introduced in 2003; neither of them have passed. California passed
a similar bill requiring data brokers to disclose security breaches
to the public in 2006, and other states have followed suit. But there
remains no federal law, in part because California lawmakers refused
to vote for a bill that would trump more stringent state laws.
In fact, most legislation sets the bar low, said Paul Davie,
founder of Secerno, a British database security company that just
launched in the United States. “They can’t set the level at
best-of-breed,” he told InternetNews.com. “They need to set
something that’s doable by the majority of companies. Otherwise, the
kickback from business would be enormous.”
In fact, compliance with audit and regulatory requirements remains
the top-rated pain point for information security professionals,
according to TheInfoPro, an IT market research firm. Its latest study
found that 55 percent of those surveyed planned a 56 percent increase
in spending in 2008.
Ultimately, legislation can’t drive security, said Sam Paone,
Secerno’s vice president of sales for North America. “The technology
evolves and outstrips legislation all the time,” he told
internetnews.com. “As soon as hackers know what it take to be
compliant, they figure out ways around it. A lot of compliance is
looking in the rearview mirror.”
