Legislators under fire over heavy-handed security rules

Law makers are too prescriptive and force security chiefs to invest in the wrong areas

Legislators have been strongly criticised by IT security stakeholders at this year’s RSA Conference Europe show for being too prescriptive and forcing security chiefs to invest in the wrong areas.

In the show’s opening keynote, Art Coviello, president of security vendor RSA, argued that public policy should provide “the right leadership and the right outcomes”, but too often is ill-thought out and addresses the wrong risks.

“When it comes to security, materiality and risk are not often given their proper weight – it drives businesses to spend unnecessarily on perceived but not real security risks,” Coviello added. “They shouldn’t be prescriptive measures whose benefits are ephemeral at best.”

Coviello cited a certain legal requirement in the Asian region, which mandates the encryption of live production databases, by way of example. However, there was praise for the Californian data breach notification law for shifting responsibility back to individual institutions.

“These types of regulations focus on outcomes and then hold the institutions responsible for those outcomes," Coviello said. “The UK also took the right approach in providing new powers for the ICO [Information Commissioner’s Office] to impose penalties on organisations deliberately disobeying the DPA [Data Protection Act]."

European data protection supervisor Peter Hustinx agreed that more robust policies and standards are necessary to address the growing number of data breach incidents. “I’m not in favour of regulators sitting on top of you, but they should be able to see that you are doing the right thing,” he explained.

However, he criticised attempts by some European governments to force private sector organisations to hold data on their customers in order for it to be used at a later date for law enforcement actions.

RSA’s Coviello also criticised current security technology tools for frustrating users and called for more “dynamic content and behaviour-based technologies”.

“Existing technologies are bound with failure in this area – the tools are forcing people to think in the way the tool does,” he argued. “They create massive confusion and are extremely frustrating for the user community.”

Ken Silva, chief technology officer of internet security firm VeriSign, agreed that the IT industry has to take some of the blame for increasing security headaches.

“The security industry is a self-licking ice cream – it sells products by making them unique and self-serving,” he added. “The niche players by design want their products complicated enough that they can sell support services along with them.”