Security Leaders Give IT a C+ Grade: Page 2
But Kurtz says that C+ grade doesn't apply across the board. The financial sector is way ahead of the rest of the pack, he says, garnering them a B+ grade. Strict regulations in the financial sector have helped to make the difference, he notes.
Lewis agrees, adding that regulations like Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) have made a big difference for many companies, forcing their hands to spend the money and time to upgrade their information security. At first Lewis gave corporate America a C+ grade for security and then bumped it up to a B or a B-.
The problem, says Lewis, is that good security is too hit-and-miss. One sector is strong. Others are not. One company is doing a good job. Others are not. ''When people talk about damages from worms or viruses... some companies have experienced losses while competitors have had little problems. That's maybe not so good,'' he says. ''The question is how do we level it off so it's not that some companies are good and some are not, some agencies are good and some are not?''
And Lewis, who spoke on the same RSA panel as Schmidt last week, was quick to counter his colleague and say he's not so sure that there hasn't been a 'very damaging cyber incident' in the last few years. ''They may just not be well known,'' he added.
What is Government's Role?
Should government be leading the charge for tougher security or should it stick to making suggestions and organizing research committees? Is government helping or not? These questions got mixed answers at the conference.
The National Strategy to Secure Cyber Space, which was released several years ago now, was designed to act as a roadmap to implementing better security and to encourage companies to improve their performance. It's had a positive influence on the industry, says Schmidt. ''The idea was not to mandate but to engage and create awareness that things need to be done, he adds. ''It was to lay out a high-level concept of what needs to happen.''
Lewis disagrees, saying the government itself has been slow to engage.
''The government has been pretty irrelevant,'' he says. ''The National Strategy to Secure Cyberspace has been useful as a paper weight. It can hold your door open. It didn't ask anyone to do anything... If there wasn't a federal effort, how much worse off would we be? I think the answer is mixed.''
Andy Purdy, acting director of the National Cyber Security Division at the Department of Homeland Security, told the RSA panel audience that the government's role is 'not being in charge' but opening up paths of communication between law enforcement, the government, the private sector and academia.
''We want to move beyond information sharing and move into true collaboration,'' he said. ''We have to have the ability to detect and recognize malicious activity, the ability to respond to malicious activity, the ability to put out shared information and the ability to recover from significant cyber disruptions.''
Kurtz, who did not sit on the panel but spoke at the conference separately, said there's no time for corporate IT managers to wait around for government agencies or committees to push them in any one direction. Cyber criminals are becoming an increasingly dangerous foe, and IT needs to be strengthening its defenses.
''The industry has a decision to make,'' he said. ''They can wait for government to mandate or they can take steps themselves... A year ago, a lot of people said security problems were hype. It was just the tech guys making noise and looking for attention. Well, it's not hype. This is serious.''