Financial Crisis & Transparency Good For Network Security
By Mitchell Ashley on Mon, 09/29/08 - 3:48am.
As much as I wish we'd never gotten into this US financial and credit mess, there actually may be a few bright sides to the whole debacle, and one of those could be network security. One likely outcome of the situation is increased regulation of the financial, and potentially other, industries. You can bet the pendulum is going to swing hard towards more regulation for the foreseeable future, whether we like it or not. At one point in my life a statement like that would have been something I'd never support: more regulation. But my political views about such things have changed over the past five years. I'm still very much a believer in the power of free and open markets, but we've seen the limits of their ability to self correct and contain corruption by people making a buck at others' expense. OK... back to how this all helps network security.
Love it or hate it, regulation has significantly helped improve security in our networks. SOX, GLBA and HIPAA have all created business justification for improving or expanding security and privacy in our business networks. Visa PCI (not a regulation) has also had a huge impact as well. I saw firsthand how these regulations help IT and security professionals get increased support within their companies to go out and spend money on security. Sometimes a security purchase was simply riding on long coattails and in other situations directly supporting meeting a regulation. At a minimum, regulations woke up finance organizations and the executive offices, giving them impetus to support spending more money on security. I wish I could say every security purchase made because of this was exactly what the business needed and got, but we all know that doesn't happen.
What new regulations are likely to come along? Hard to tell at this point but transparency is the new buzzword. Transparency into risks, transactions, investments, etc. And with all that transparency comes the risk this information will fall into the hands of those it wasn't intended. More encryption? More secure storage? Yes, and yes, and probably a lot more. See where am I going about regulation being good for security?
Now, will the security industry's revenues double because of all this? Very unlikely but it could keep IT security spending up while other areas are cut back. Hard to say. While there may be negative consequences to the economic downturn, security could come out of the dip doing better than when it came in.
Like this? Here are some of Mitchell's recent posts.
- 5 Reasons Google Loves Perpetual Betas
- Android's Killer Features & Why It Won't Support Exchange
- Google Android: The Dude or Big Dud
- Windows 7 Just An Upgrade Path Tune Up
- Microsoft Licensing & Costs Still Hamper Virtualization
- How Sarah Palin's Email Got Hacked
Check out Mitchell's companion Converging On Microsoft Podcast. And Follow Mitchell on
.
Mitchell's Product Reviews:Mitchell's Book Recommendations:
Also visit Mitchell's other blogs and podcasts:
Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
- About Converging on Microsoft
- Mitchell Ashley is principal consultant at Converging Network LLC where he provides product, technology and social media consulting to emerging technology companies. A successful CTO and product innovator, Mitchell has created many successful, award winning products in the networking, security, convergence, Internet and IT industries. In addition to blogging for NetworkWorld, Mitchell regularly blogs at TheConvergingNetwork and co-hosts the widely popular StillSecure After All These Years podcast.
- Archives
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- Blog Roll
Sponsored Links
- Reduce your storage footprint and get growth under control. Learn More.- Symantec Corporation
- The freedom of wireless. The security of corded. Wherever you work. Learn more.- Logitech
- Become a master of unified communications! Read blog commentary from Irwin Lazar Nemertes Research and download other valuable information today!- Sprint
- Will 4G Mobile Integration Result in More Wireline Replacement? Read this paper to learn more now!- Sprint
- Supercharge Your End Users with Desktop Virtualization- Citrix
- Counting Up the End User Benefits of Desktop Virtualization - Citrix
- The Next Generation of Content Security Has Arrived! Learn More!- Websense, Inc.
- Reduce costs by 49%, Increase capacity utilization by 33%. Make the HP LeftHand SAN work for you.- HP LeftHand SAN
- Connexion saves costs with Microsoft & Novell- Novell Microsoft
- Masters of Virtualization and Cloud Computing- Trend Micro
-
Network World, Inc
The Leader in Network Knowledge
Regulation isn't effective
Aside from the political point that the financial markets were already very heavily regulated so I don't see how one can claim the recent fiasco is due to lack of regulation, here's what jumps out at me here.
Where are the data for this claim that regulatory compliance has increased security? I don't think there are any. What are the numbers on compromises and breaches before and after SOX etc.? More IPS deployed, more log aggregation doesn't mean anything without a success metric to which to refer. Do programs like this have any real effect other than satisfy auditors? Or, how many organizations have suffered a loss due to non-compliance? Meaning, HIPAA fines, PCI or SOX penalties.
I work in a healthcare organization, and I can say that for the most part HIPAA has zero effect. There's no teeth in it so it isn't really a consideration. The only people who mention it are vendors trying to sell compliance-related products.
Agreed.
I've been in the IT arena for twelve years; as a network engineer for five. After being offered a position at a health care company, I researched HIPAA regulations and found zero directives that put a tangible push towards information security in the enterprise. I've read rumors that HIPAA compliance audits consist more of personal interviews than technical review, which makes me feel that any company could feasibly show due diligence towards meeting the ambiguous HIPAA regulations without investing a single dollar in research towards actual solutions. I would like to see a consortium of security professionals start a free wiki-type project to bring actual best practices for security design and implementation to the web in an open symposium. Lots of companies, even outside of health care, do not have the resources to hire or contract high-priced security professionals, so shops with junior- to mid-level engineers have limited access to guidance for even basic security practices, let alone regulation compliance.