Certification Survey Extra is a series of periodic dispatches that give added insight into the findings of our most recent Certification Survey. These posts contain previously unpublished Certification Survey data.
Things haven't yet gotten so bad that there's breaking news about a major data breach every time you check the latest headlines. And yet it sometimes feels like successful attacks on high-value data-rich targets have become something pretty close to commonplace. The fear and hand-wringing runs its course in a week, or a month, and suddenly "Equifax" is just another past scandal that gets name-checked in the first couple of paragraphs of articles bemoaning the state of cybersecurity.
During the couple of news cycles when the outrage is fresh, there are probably more than a few individuals out there muttering some variation of the phrase "There ought to be a law." And not some sort of legal impediment to hackers, either, or at least not directly. Nearly every breach is accompanied by reports of cybersecurity negligence that is often appalling and almost always infuriating. Can't we force these companies to protect themselves?
I mean, yeah, probably not. But in the immortal words of Stanley Tucci from 2003 sci-fi disasterpiece The Core, "What if we could?" Maybe the average Joes and Janes whose information keeps getting stolen couldn't do it. The federal government, on the other hand, using the right combination of regulations and laws, might have the influence to make something stick.
This is the fifth in a series of articles drawn from our recent Cybersecurity Certification Survey about the role of government in cybersecurity. Previous articles in the series can be found here:
The Role of Government in Cybersecurity, Part 1
The Role of Government in Cybersecurity, Part 2
The Role of Government in Cybersecurity, Part 3
The Role of Government in Cybersecurity, Part 4
Should government put the screws to businesses and private organizations that are playing with fire by using outdated protection policies and software? Should there be fines? Temporary shutdowns? Litigation? We'll leave further debate over the details for another day. In our most recent Certification Survey, however, we did ask a couple of questions about how hard government should push for cybersecurity reform.
Here's what we learned by asking survey respondents — certified cybersecurity professionals, don't forget — to rate their level of agreement with the following two propositions:
Government should aggressively promote stronger security controls for businesses and private organizations.
Strongly Agree: 25.5 percent
Agree: 47.7 percent
Neither Agree nor Disagree: 18.3 percent
Disagree: 6.5 percent
Strongly Disagree: 2 percent
Government should mandate stronger security controls for businesses and private organizations.
Strongly Agree: 16.5 percent
Agree: 29.2 percent
Neither Agree nor Disagree: 32.5 percent
Disagree: 16 percent
Strongly Disagree: 5.8 percent
Two things are immediately evident. Certified cybersecurity professionals generally believe that there is a role for government to play. They're a lot more comfortable, on the other hand, with that role being limited to strong words.
There is, it would seem, a belief that directly forcing businesses to protect sensitive data is outside the proper purview of law. Because it's wrong? Or because we just aren't comfortable with the idea yet? Once upon a time there was resistance to the idea of enforcing basic protections for workers, including highly vulnerable and irresponsibly endangered workers. Today we have child labor laws.
Maybe forcing businesses and private organization to protect sensitive data — the kind of personally identifying information carelessly exposed prior to the Equifax hack (Heard about that one?) — is bad policy. Or maybe it's just an idea whose time hasn't come, but may be getting here soon.