The Last Watchdog

on Internet security by Byron Acohido

How federal tax incentives could help stem rampant data breaches

Posted on | October 13, 2009 | 3 comments

One idea for motivating organizations to do a better job stemming rampant databreaches: give them tax incentives to do so. Patricia Titus,  the former CISO at the Transportation Security Administration within the Department of Homeland Security, and current CISO at Unisys Federal Systems, makes the case in this exclusive LastWatchdog guest blog post. Comments are encouraged.

By Patricia Titus

CISO, Unisys Federal Systems

patricia_titus12How do we as a nation address the abysmal approach to IT security?  Law makers have been wrestling with the idea of more regulations, but that may not be enough to encourage better security practices.  We already have several regulations that have not gotten us closer to the end zone.  I’m in favor of tax incentives for companies that demonstrate effective IT security practices, but this cannot be done without the development of a well thought out approach.  Critical success factors must be developed in the form of a concise set of performance measures based on standards.

The Department of Commerce has already charged the National Institute of Standards and Technology (NIST) Computer Security Division to develop a set of special publications and guidelines called Federal Information Security Management Act (FISMA). These well thought out guidelines such as the Special Publication 800-53 provide federal government chief information security officers with a standardized approach to effective IT security.  Why can’t this same division be charged with creating the same standards for the private sector?

The language in these guidance documents is so slanted toward the federal government that it’s difficult to get corporate executives to see their value.  Also CEO’s are cost cutting right now and implementing a program that may increase operating or capital expenses may not be appealing.  However, if the adoption of these security standards were tied to a tax incentive, perhaps the CEO would be willing to spend a few dollars to gain this compensation.

Bookmark and Share
Category: Guest Blog Post, Obama watch, Steps forward

Comments

3 Comments »

  1. At a first glance it looks like a sensible idea. Very similar in essence to the basic idea behind PCI-DSS: be secure pay less commission. However, I don’t think that we have seen throughout the years many successful attempts by governments to promote technology through tax benefits. For example, I don’t think that recycling and green technologies are gaining momentum due to favorable taxation. I think that in reality it will be very hard to tie up the tax benefit to real security value. What will happen is that we will have additional governmental expenses allocated to executing this plan which will eventually allow large organizations to get tax refunds for as large a part of their IT spending that they can make look like “security related” (e.g. 25% of the time of each IT employee is dedicated to security).

    - Amichai

    Comment by Amichai Shulman — 10/14/2009 @ 8:40 am

  2. Attn: Patricia Titus, CISO Unisys:

    The Federal Govt nor private Industry do not deserve tax benefits for their own incompetence over the past 30 years or so. What Executive Mgmt and their BOD’s need to focus on are solutions that are permanent. As for the Federal Govt there are solutions such as our US Navy & AF as well as the Canadian Govt, etc. If Unisys is interested in a real STANDARDS based solution please contact me directly: ontinuump@gmail.com.

    Comment by Bob Pollock, CEO — 10/17/2009 @ 4:13 pm

  3. Patricia: sorry for the typos: it’s continuump@gmail.com or call me directly: 917-497-5523

    Comment by Bob Pollock, CEO — 10/17/2009 @ 4:16 pm

RSS feed for comments on this post.

Leave a comment

Search Last Watchdog

Navigate Last Watchdog