COLLEGE STATION PENNSYLVANIA JUNE 25 2014 / Speaking at DHS's forum on Incentives for Cyber Security at Penn State university today, ISA President Larry Clinton praised the Obama Administration for its commitment to forgo new regulations for cyber security and instead launch a concerted effort to develop market incentives for security including streamlining current regulations for good actors and entities who aggressively adopt the NIST Framework.
"Traditional regulatory models will not work, and indeed will be counterproductive in strengthening our cyber security because it will detract needed resources from security and divert them to meaningless compliance programs," said Clinton
Clinton made these comments at special DHS sponsored session of the annual WEISS conference on the economics of cyber security.
"The Administration has made great strides in its understanding of the differences between public sector and private sector cyber risk including a sophisticated appreciation of the economics of cyber security," said Clinton noting that research has continually shown that the primary problem in securing critical infrastructure is economic, not technical.
Clinton had special praise for DHS Assistant Secretary for Cyber Security Dr. Andy Ozment, noting Dr. Ozment’s recently published call for more sophisticated analysis of the use of the NIST Framework.
"Dr. Ozment is absolutely correct that, while anecdotal reports about use of the Framework are nice, they do not provide the level of data we need to evaluate our primary initiative in shoring our nation’s cyber weakness. In order to assess our success we need to first define what success means, and we have not yet done that with the NIST Framework. We need a systematic and collaborative process to assess the utility and effectiveness of the Framework."
Clinton noted that ISA had been calling for a more systematic assessment process since the Framework was released last February, including providing a detailed plan for beta testing the Framework and assessing its cost effectiveness.
"The administration has made progress in articulating the need for a voluntary approach, the need to create incentives and the need for a better assessment process, we are optimistic we will continue this progress as we develop more sophisticate methods to evaluate the utility and effectiveness of the Framework, said Clinton.
The Internet Security Alliance (ISA) is a unique multi-sector trade association, which provides thought leadership and strong public policy advocacy as well as business and technical services to its membership. The ISA represents enterprises from the aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security, and technology industries.