According to new research by Giga Information Group, Inc., the release of the "National Strategy to Secure Cyberspace" draft by the United States government is a major step in defining a strategy for security in the information age, and its recommendations will significantly change the landscape of information security in the U.S. and around the world.

Giga security experts, Research Director Michael Rasmussen, CISSP, who is also a member of the Information Systems Security Association's (ISSA) Board of Directors, and Steve Hunt, CISSP, vice president of Research and Security Research Leader at Giga, contributed to the effort through their respective roles with the ISSA, coordinating town hall meetings, assisting in the rollout of the draft report and providing analysis and advice on the strategy prior to its official release.

"Organizations are best served to take a close look at the strategy and understand the direct and/or indirect implications it can have on the way they approach information security," said Rasmussen. "At this point, the strategy needs to be finalized and turned into a plan, but the recommendations the strategy states are not at all vague and can have broad, sweeping impacts on organizations and security professionals. It will affect not only information security in the US, but around the world."

"We estimate that in five years the impact of the Strategy directly and indirectly will create a 33 percent reduction in risk to our economic infrastructure," adds Hunt. "We arrive at this estimation by considering the impact of department-led awareness programs, negotiations with vendors to make products more interoperable and cost-effective, and improvements in corporate security architecture due to the influence of the strategy."

Among the recommendations are the call for increased corporate governance oversight of information security, annual disclosure of security audits, certifications for security services/consulting firms that work with the federal government, along with certification of security professionals akin to other professionals such as lawyers and accountants, as well as requirements that applications default to secure settings and that software is designed using secure coding practices.

Although the US government tends not to regulate security, Rasmussen states in a Giga report on the draft strategy that security may be regulated through unforeseen ways, such as:

  • The establishment of this strategy provides a blueprint for possible legislative actions.
  • It recommends best practices that can be interpreted as a duty of care that organizations adopt to remove potential liability.
  • While specific broad regulations may not be established, governing agencies/regulatory bodies may take it upon themselves to enforce many of the recommendations in the organizations they oversee.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access