• What, exactly, is reasonable security? The state of California knows!

    19 Sep 2016

    With all that’s happening in the world of information security, it seems that there’s never enough regulation. From to HIPAA to the state breach notification laws to PCI DSS and beyond, there are rules – and guidance – around every corner. Oddly enough the breaches keep occurring. As if what we’ve been told up to this point is not reasonable enough. Some people, mostly federal government bureaucrats and lawyers who stand to benefit from such power, believe we need more regulations. Some are even attempting to rebrand information security as “cybersecurity” which only serves to create another layer of complexity and hurt our cause long-term.

    Presumably, more regulations will clarify what “reasonable security” means. I disagree. The core information security essentials that we need to follow in order to be secure have been around for decades. Yet people think we need more guidance, more rules, more control. It’s the mindset that many have toward fixing government schools: don’t address the real problems, just throw more money at things and the challenges should go away soon. If things were only that simple!

    If we’re going to address information security reasonably, we don’t need more regulations…what we need is discipline. The discipline to execute the security essentials over and over again, no matter how boring, how repetitive, and how politically inconvenient they are. I love what Kamala Harris, Attorney General for the state of California wrote in her 2016 California Data Breach Report:

    RECOMMENDATION 1:
    The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

    Folks, it’s as simple as that…Ignoring the problem won’t make it go away. Unless and until we address the core security practices – practices that have been proven to work time and again – we’ll continue to struggle. So, what’s it going to be?