John Pescatore

A member of the Gartner Blog Network

John Pescatore header image 2
Czar Wars – The Silliness of Hoping Moses Will Come Down With The Ten Security Commandments Twelve Word Tuesday: Northwestern Pilots Highlight the Myth of the Responsible User

Risk Is Just Like Obscenity

October 23rd, 2009 · 1 Comment

Yesterday at our last security session at Gartner’s annual Symposium, I chaired a debate called “Is Government Regulation Required to Increase Cybersecurity?” The panelists were Gartner analysts French Caldwell, Paul Proctor and Earl Perkins. Basically, I was against government regulation and those three were for it.

Essentially, French felt regulation done right was needed and would increase cybersecurity. Earl said that capitalism had no conscience and regulation is always needed to inject that, security no different. Paul’s position was that regulation was needed to get management to pay attention.

My position is that regulation around cybersecurity can’t be done right, hasn’t and won’t inject security, and only causes management to pay attention to compliance not security. The difference is critical – government regulations can only work when something is stable enough for slow moving legislators to write regulations that can lead to some audit against some stable standard. Information technology is definitely not stable – software engineering is still an oxymoron. Most everyone agreed, and said that’s why the focus of legislation should be around “risk” not technology mandates.

I left the conference audience with my prediction: risk is pretty much like obscenity. It is impossible to define, but we all know it when we see it. But we all see it differently. Legislation around obscenity has a long torturous history of failing – especially where technology is involved. And technology is at the heart of the cybersecurity issue – that’s the cyber part.

My prediction is that any legislation in the next 5 years trying to mandate cybersecurity levels will be as completely ineffective and money wasting as the V-Chip legislation was in the US in trying to deal with inappropriate content over televisions. I’ve used this analogy before – back in 2001 when the browser industry was trying to claim the use of Platform for Privacy Preferences technology would solve web privacy issues, I wrote a Gartner research note “P3P Will Be the V-Chip of the Internet.” That proved to be pretty dead on.

Share:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • LinkedIn
  • MySpace
  • NewsVine
  • Slashdot
  • StumbleUpon
  • Technorati

Tags: Uncategorized

1 response so far ↓

Leave a Comment