October 12, 2010, 5:33 PM — A new report from RSA, but written and presented by a group of its customers called the Security for Business Innovation Council, proposes that the U.S. and other Western nations get the their noses out of other people's business -- or at least pull back a bit so they can do their business without the nose actually getting in the way.
The impetus is the believe, documented in reports such as this March Forrester study(PDF) that show end-user companies are splitting 80 percent of their security budgets between two functions: securing private data, and proving they're in compliance with various federal regulations.
The latter is largely a waste of money that detracts from the former, according to a statement of purpose from a group of Global 1000 companies RSA assembles into an advisory group called the Security for Business Innovation Council. Its report, A New Era Of Compliance: the Bar for Organizations Worldwide, calls for fundamental shifts in how federal regulations are written to affect corporate IT and security staffs.
Regulations tend to be either too non-specific, so they don't provide any guidelines, or overly prescriptive, requiring that all data has to be encrypted in transmission at a minimum of 128 bits according to Art Coviello, president of RSA.
"Does 'in transmission' mean just over the network? or is it between the application and the database? the endpoint and the application? between the hard drive and the screen?" Coviello asked. "And if you specify 128 bits, is Congress going to be keeping an eye on development so it can say right when it's relevant that '128 bits isn't secure anymore,' that we have to shift to another standard? Or is it going to stay there for years whether it works or not?"
Overall, global enforcement of data-security regulations is getting tighter, the rules are getting more detailed (sometimes to an impractical degree), and governments are making it clear companies will be responsible for the compliance sins of their business partners, no matter how little power they have to control one another's behavior.
Global businesses are spending too much money and time on repetitive tasks, data gathering and one after another set of specialized compliance tools to keep up with rules that don't improve security enough to justify all the extra effort.
RSA's Global 1000 council of CISOs would like governments to change the way they handle regulation so they make sense.
Also. They would like a pony.