Recently I made tossed my hat into the ring to provide some commentary on Obama’s cybersecurity proposal and it somehow made itself into a Wall Street Journal mention. I was humbled to say the least. That said, I was asked to provide more color commentary by the folks at Tech Pro Essentials and would encourage you to take a minute or two to check out the article there.
As a preview, since incident response is generally an after-thought to most companies and not well understood, the level of concern that this time frame has generated is understandable. In contrast, I believe the 30-day window, while a step in the right direction, will drive the wrong behaviors.
What Obama’s proposed legislation should address is the rapid detection and response of cyber intrusions on networks. I would propose three alternatives:
1. Require full disclosure of all incidents to the SEC.
2. Impose penalties on companies that do not detect and respond to breaches within a certain timeframe
3. Provide incentives to make rapid detection & response a reality and priority.
While not perfect and there is always room for improvement, I think it would be a step in the right direction and drive the correct behaviors needed to change the game.
Feel free to reach out via Twitter @SeanAMason to share your thoughts. Thank you for reading.