RealTime IT News

Security Here and There

SAN FRANCISCO – This week's annual RSA Conference here is, of course, all about the latest in security. But a company's decision of which security strategies and products to pursue depends on more than popular trends or features. The regulatory environment and a company's own business needs can also influence a security plan.

While Sarb-Ox and HIPAA set some standards for data protection and retention, the U.S. tends to have a different focus from countries in Europe and Asia.

One thing on attendees' minds at RSA was the way globalization has changed security -- and the way U.S. regulation has lagged behind other countries' in some areas. NSFocus, maker of security gateways and other hardware/software combos for threat management, exhibited at the conference in search of U.S. sales partners. Ma Bo, regional manager for NSFocus, said the company has a huge market share in its home base of China, thanks to Beijing's rules demanding advanced security for financial and commercial institutions. He finds U.S. regulations more lax.

The United States is also seen by other foreign vendors here as lagging when it comes to mandating strong security for consumer data and services.

In an RSA "town hall" presentation about Cyber Storm II, an audience member told Greg Garcia, Homeland Security assistant secretary, that the Federal government should establish standardized digital certificates for banks. "We're way behind Europe," he said, "and that drives more of the hackers here."

But this may be the result of a different emphasis here and abroad, rather than looser government.

While legislation in the EU focuses on keeping companies from gathering too much data on citizens, in the States, the focus is on requiring companies to disclose when consumers' personal data has been compromised.

Privacy versus security

"To them, privacy is paramount and trumps security," said Michael Markulec, COO of Lumeta, a network security vendor. "I'd argue that in the United States, security is trumping the privacy issues." Efforts to control things like identify theft tend to focus on keeping people from unauthorized access to the network, rather than on limiting data collection. Network security is more important to businesses, he allowed, "but we need to strike a balance."

This year, Markulec sees database security as one of the top issues on the minds of conference attendees. That could be because they want to avoid the embarrassment of making te news when customer data is lost or stolen.

U.S. Senator Dianne Feinstein (Calif.) has two bills in the hopper, the Notification of Risk to Personal Data Act and the Social Security Number Misuse Prevention Act. The data breach act was introduced in 2003; neither of them have passed. California passed a similar bill requiring data brokers to disclose security breaches to the public in 2006, and other states have followed suit. But there remains no federal law, in part because California lawmakers refused to vote for a bill that would trump more stringent state laws.

In fact, most legislation sets the bar low, said Paul Davie, founder of Secerno, a British database security company that just launched in the United States. "They can't set the level at best-of-breed," he told InternetNews.com. "They need to set something that's doable by the majority of companies. Otherwise, the kickback from business would be enormous."

In fact, compliance with audit and regulatory requirements remains the top-rated pain point for information security professionals, according to TheInfoPro, an IT market research firm. Its latest study found that 55 percent of those surveyed planned a 56 percent increase in spending in 2008.

Ultimately, legislation can't drive security, said Sam Paone, Secerno's vice president of sales for North America. "The technology evolves and outstrips legislation all the time," he told internetnews.com. "As soon as hackers know what it take to be compliant, they figure out ways around it. A lot of compliance is looking in the rearview mirror."