Speaking at a Gartner IT security conference less than 24 hours after CitiFinancial admitted it had lost almost 4 million records with personally identifiable information, John Pescatore told a packed room that Congress is bound to respond with new laws.
''What will be the next Sarbanes-Oxley? It's going to be some type of identity theft or data security legislation,'' said John Pescatore, a vice president and analyst at Gartner. ''That's such a politician-friendly issue. It's the next big one coming.''
CitiFinancial's revelation Monday only ups the pressure on lawmakers.
''Any regulation brought to security is a two-way sword. It's really nice to have a regulatory stick to whap [executives] over the head with, because it forces them to recognize that we need to change some things and spend some money on security,'' he said. ''The dangerous side is that it often distracts that spending towards reporting on compliance versus increasing security.''
According to Pescatore, compliance does not equal security.
That line of thinking, he said, leads to ''this hangover that says, 'Cool, we had a big party, and we spent all this money, and now we're compliant.' But, we didn't change anything. We didn't use [that money] to change anything to get more secure.''