Being a Chief Security Officer is not easy. Viewed by many in the business world as gloomy purveyors of doom and spoilers of fun and profit, CSOs are responsible for making sure that an enterprise’s information systems are secure and reliable. Under the best of circumstances, they occupy a lonely perch lacking in the glow that revenue and profit accountability attract. Security is a cost center - the bane of corporate existence. As such, it is under relentless pressure to reduce costs so that more sunlight can fall on the profit centers. This is true of virtually all sectors of the economy, including communications.
The Internet Security Alliance recently testified to the Senate Judiciary Committee that nearly half of all enterprises in 2009 reported that they are reducing budgets for information security initiatives. Hence, despite the wide range of generally accepted best practices and standards on cybersecurity that exist, the FCC is concerned about the extent to which these practices are applied to create a culture of cybersecurity among communications service providers. We are also concerned that consumers of communications remain in the dark about the cybersecurity practices of their communications providers.
Earlier this year, the FCC launched an inquiry into a voluntary cybersecurity certification program for communications service providers. The availability of such a certification would strengthen market incentives for providers of communications services to upgrade the cybersecurity measures they apply to their networks. Sure, a certification would enhance the security of the Nation’s communications infrastructure, but equally important, it would offer customers large and small real information about which communications service providers have implemented cybersecurity measures.
Our Notice of Inquiry is framed broadly and includes questions that range from the value of a certification program to the logistics of its implementation. It is the first step in a process to determine whether there are ways for the Commission to harness market forces to improve cybersecurity. If we are successful, customers will benefit through greater transparency about the security of the communications offerings before them. And CSOs may start to see some of the glow that had previously been reserved for the revenue engines of the firm.
Is this how you see it? File comments on this proposal and see what others have said. Our next deadline is September 8, 2010.
If cybersecurity interests you, you should also check out a related FCC inquiry on communications survivability and resiliency. In this proceeding, we are looking at the ability of existing broadband networks to withstand significant damage or severe overloads as a result of natural disasters, terrorist attacks, pandemics or other major public emergencies. You can read the Notice of Inquiry and view what other have said and file your own comments. The next public comment deadline in this inquiry is September 3, 2010.